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1.  INTRODUCTION 


By  LCF,  I  mean  the  Milner  version  of  a  logic  proposed  by  Dana  Scott  in 
1309,  mechanized  by  Milner  in  1971.  and  describe!  by  Milner  in  11,21.  Ill  is 
actually  the  user's  manual  for  the  LCF  proof-checker  which  has  been  the  vehicle 
for  generating  formal  proofs  in  the  logic. 


Since  the  development  of  the  proof-checker ,  LCF  has  been  successfully 
applied  to  various  traditional  problem  areas  of  the  Mathematical  Theory  of 
Computation.  The  principal  experiments  have  involved  program  semantics, 
correctness  of  programs,  termination  of  programs  and  compiler  correctness 
[2,3,41 . 


In  each  of  the  examples  reported  a  machine  checked  proof  was  generated 
which  increased  the  reliability  of  the  solution  enormously.  However,  each  proof 
also  made  a  large  number  of  assumptions  in  the  forms  of  unproved  theorems  and 
redundant  axioms.  Although  it  can  be  demonstrated  that  the  particular 
assumptions  involved  do  not  invalidate  those  experiments,  it  is  clear  that  the 
proofs  would  be  considerably  more  reliable  if  a  solid  axiomatic  theory  was 
..!ready  available  to  give  all  the  required  background  results. 


The  three  particular  areas  of  mathematical  knowledge  which  are  developed 
in  this  paper,  namely  integer  arithmetic,  list  manipulation  and  a  theory  of 
finite  sets,  are  very  important  in  computation.  Moreover,  in  proving 
assertions  about  programs,  these  theories  provide  most  of  the  mathematical 
material  which  would  be  classified  as  background  results. 


The  current  project  has  been  to  develop  a  very  large  theorem  bank  which 
will  act  as  an  appropriate  mathematical  environment  for  future  applications  of 
LCF.  So  far  over  330  theorems  have  been  proved  (with  the  aid  of  the  LCF 
proof-checker ,  of  course)  from  the  axioms  given  in  this  paper. 


Although  there  is  no  distinction  possible  (in  the  LCF  system)  between 
axioms  and  definitions  (both  are  declared  as  AXICMs),  effort  was  made  in  the 
ax i omat i sat i on  to  introduce  new  functions  as  terms  of  the  logic.  This  strategy 
makes  it  easier  to  demonstrate  consistency  for  the  sets  of  axioms  presented. 
Similarly,  in  the  presentation  of  AXIOMs  a  contrast  is  effected  by  label linci 
them  either  axioms  (AX)  or  definitions  (DEF ) . 


The  large  body  of  theorems,  alluded  to  above,  is  organised  as  a  sequence 
of  appendices.  All  the  theorems  of  any  appendix  depend  on  the  same  group  of 
axioms  or  definitions  and  appear  in  an  order  which  is  appropriate  for  efficient 
pr oo f  of  the  whole  group  (  bu  making  use  of  the  theorem-using  facility  of  LCF  ). 
Note  that  the  indentation  of  theorems  is  only  to  make  the  page  layout  a  little 
prett ier « 
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2.  THEOREilS  FROM  NO  AXIOMS  AND  A  PROPOSITIONAL  LOGIC 


Appendix  1  gives  a  number  of  theorems  that  require  no  axioms  (strictly  - 
no  nonlogical  axioms)  for  their  proof  in  LCF.  AM  can  be  proved  in  a  feu  lines 
but  it  shortens  and  so  helps  to  clarify  later  proofs  if  they  are  available. 

The  theorems 

Yp.  p-»TT,Fr  =p 
Vp.p-'JU.UJsUU 
[\x.UU3 sUU 

are  important  as  permanent  members  of  the  simplification  set  of  the  LCF  proof 
checker.  It  is  also  worth  mentioning  that  the  block  of  results  exemplified  by 

p-*TT,UU=FF  (•  TT=FF 

are  designed  to  make  use  of  the  proof  by  contradiction  facility  in  LCF  which 
'knows'  that  TT=FF  (and  a  feu  similar  wffs)  is  a  contradiction. 


A  function  from  and  to  the  domain  of  truth  values  which  represents  the 
logical  NOT  operation  is  readily  defined  in  LCF  as 

**DEF  2.1  s  [Xx.x-FF.TTJ 

Appendix  2  shows  that  it  behaves  according  t  the  truth  table 
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1 
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UU 
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UU 
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UU 
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Ue  therefore  axiomatize  the  relation  as  below  and  note  that  each  axion 
is  trivially  faithful  to  the  above  truth  table.  Moreover  the  theorems  of 
Appendix  2  shou  the  whole  truth  table  is  derivable. 


AX  2.2  VP.  PvTTaTT 

•Mr/s AX  2.3  VF.  PvFFsP 

Me* AX  2.4  VP.  PvUUs (P-TT.UU) 


An  appropriate  definition  for  logical  AND  is  now  possible  (see  below) 
in  terms  of  the  OR  operation.  Ue  also  give  an  explicit  definition  of 
equivalence.  The  results  of  appendix  2  give  the  truth  tables  for  these 
operators  shown  below. 


**DEF  2.5 
■.v>vDtF  2.6 


a  5  [Ax  j,  ->  ( (— *x)  v  (— *y ) )  ] 

=  s  [Ax  y.x-*y,  ( y-*FF,  TT i 3 


y  y 


G 

xAy 

i 

TT 

FF 

UU 

x-y 

1 

TT 

FF 

UU 

TT 

— +  “ 

1 

1 

1 

TT 

FF 

UU 

TT 

1 

1 

1 

TT 

FF 

UU 

x  FF 
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1 

1 

FF 

FF 

FF 

x  FF 
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1 

1 

FF 

TT 

UU 
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UU 
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UU 

FF 

UU 

UU 
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UU 
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UU 
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3.  INDIVIDUAL  EQUALITY  AND  DEFINEDNESS 


In  the  domain  of  individuals  of  the  logic,  we  want  (very  often  in 
practice)  to  utter  sentences  which  certain  terms  such  as  'x  is  the  same  as  y' . 
For  example  we  could  require  a  function 

f  h  [Ax,  ( i  s- the-same-as  (x,ai-*b,g  (x) )  ] 

or  we  might  want  a  sentence  such  as 

->( i  s-the-same-as  (x, y) ) : :  g(x,y)shix,y) 

The  's'  connective  of  LCF  is  the  most  obvious  candidate  but  it  cannot  be 
represented  by  an  LCF  term  since  it  is  not  monotonic.  Uhat  we  want  is  a  two 
place  predicate  '='  which 

i)  is  undefined  exactly  when  one  (or  both) 
of  its  arguments  is  undefined, 
and  otherwise 

ii)  has  the  value  TT  if  and  only  if  the  two 
arguments  are  the  same  element  (not  UU). 

Such  a  predicate,  obviously  monotonic,  is  possible  n  th  appropriate  domains  of 
individuals  (see  below)  but  as  with  the  logical  operators  AND  and  OR,  this 
'computable'  equality  cannot  be  defined  but  must  be  axiomatised.  The  following 
capture  the  desired  predicate; 

**•/.•  AX  3.1  Vx.  ( (x=x)-*>,UU)=x 

AX  3.2  Vx  y.  ( x=y ) :  :  x=y 

i'nVtvAX  3.3  Vx  y.  (x=x) -* ( (y=y) -*TT, UU)  ,UUs ( x-y ) -*TT,  TT 

***AX  3.4  (UU=UU)sUU 


First  note  that  this  equality  predicate  for  the  domain  of  individuals 
and  the  logical  equivalence  predicate  defined  in  the  last  section  are  of 
different  types  (in  the  technical  sense)  and  are  only  given  the  same  name 
because  of  shortage  of  symbols.  As  with  the  symbol  UU  (which  denotes  an 
individual,  a  truth  value  and  an  infinite  number  of  functions  of  different 
types)  the  particular  predicate  intended  by  '='  can  be  determined  by  context. 

The  role  that  the  first  tnree  axioms  play  is  quite  stra- ght forward:  - 

3.1  says  that  the  '='  relation  is  reflexive  on  all  individuals 
except  UU;  It  says  nothing  about  UU=UU; 

3.2  says  that  the  relation  is  oniy  true  in  the  reflexive  case; 

3.3  interpreted  in  the  light  of  2.4.  this  axiom  gives  us  that 

if  neither  x.y  are  UU  then  x=y  is  either  TT  or  FF;  It 

also  gives  that  if  x=y  is  TT  or  FF  then  neither  x  or  y  i s 
the  undefined  element. 
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The  axiom  3.4  is  not  really  necessary  in  that  if  there  is  any  element 
in  the  domain  of  individuals  (  distinguishable  from  UU  )  then  3.4  follows  from 
3. 1-3. 3  .  For,  supposing  X  to  be  distinguishable  from  UU  ,  XsUU  is  a 
contradiction  and  so  we  argue  by  cases  on  UU=UU  :  If  UU=UUsTT  then  X-UUeTT  bu 
monotonicity  and  XsUU  by  axiom  3.2  ;  If  UU=UU=FF  then  X=XsFF  by  monotonicity 
and  XeUU  by  axiom  3.1  ;  Since  the  TT  and  FF  cases  lead  to  contradictions  ue 
have  UU-UUsUU. 

Although  ue  are  indeed  only  interested  in  nontrivial  domains  we  want  to 
be  able  to  prove  a  body  of  useful  theorems  about  equality  uithout  mentioning 
any  particular  elements.  3.4  is  needed  to  prove  several  of  the  theorems  of 
appendix  3  and  this  forces  us  to  add  it.  For  example,  the  theorem 


VX.  X=UU  s  UU 


can  not  follow  from  the  first  three  axioms  since  in  the  trivial  domain  of  just 
UU,  ue  can  have  UU=UU=TT  and  the  axioms  are  satisfied. 


XsY  can  always  be  deduced  from  X=YsTT  as  prescribed  by  the  axioms,  but 
we  also  easily  get  theorems  for  going  the  other  nay 

XsY,  X-XsTT  X-YsTT 
XsY,  Y=YsTT  1-  X-YaTT 

and  2  versions  of  the  commutative  law  for  '='  . 

VX  Y.  X-Y  s  Y=X 
X=Y=TV  |.  Y=XsTV 


The  fact  that  evary  element  except  UU  is  equal  («)  to  itself,  gives  us 
the  definedness  predicate  for  individuals  by  definition, 

•.VivDEF  3.5  cJ  s  [Ax.  x-x] 

uhtre  c)  will  be  TT  on  all  individuals  ,t  UU  and  d (UU)  will  be  UU. 

Appendix  j  also  gives  useful  theorems  about  the  d  predicate.  Note 
especially  the  following  theorems  which  are  extremely  important  when  arguing 
by  cases  on  the  definedness  of  some  i ncJ i v i ciua I : - 

cHXisFF  |-  TTsFF  31X)=UU  (-  XsUU  . 

It  was  inferred  above,  that  the  axioms  for  '='  dictate  some  structure 
for  the  domain  of  individuals.  This  structure  is  simply  flatness  or 
discreteness  (which  means  that  for  any  element  X,  if  YcX  then  Y  is  either  UU  or 
X  itself).  The  following  theorems  show  that  this  is  so  and  it  is  asserted  that 
flatness  isn't  a  high  price  to  pay  for  the  notions  of  equality  and  definedness. 
In  fact,  Scott,  in  his  original  proposal  suggested  that  this  was  a  reasonable 
assumpt i on. 


X-YaFF,  XcY  y  TTsFF 
a (X)  =TT,  XcY  1-  XsY 


4.  NATURAL  NUMBERS 


The  natural  numbers  can  be  axiomat ized  by  the  following  four  axioms  and 
four  definitions: 


**DEF  4.1 
*** AX  4.2 
**DEF  4.3 
ftftftAX  4.4 
ftftft AX  4.5 
***AX  4.6 
ftftDEF  4.7 
ftftDEF  4.8 


Z  s  [Ax.x=3] 

Z  (0)  s  TT 

isnat  5  [«F.  CXx. Z (x) -*TT,F ( pr eel (x) ) ] ] 
VX.  i snat (X) : :Z (X) -0, succ (pred (X) )  e  X 
VX.  i snat (X) : :Z (succ(X) )  a  FF 
VX.  i  snat (X) :: pred  (succ (X) )  =X 

1  5  succ(0) 

2  s  succ(l) 


where  the  axiomatised  quantities  are  the  individual  '0',  the  function  'succ' 
and  the  function  'pred'. 


A  glance  at  appendix  4  shows  that  many  ususa!  properties  of  the  natural 
numbers  are  provable.  In  particular,  the  following  ones:- 

isnat(0)  e  TT 

isnat(X)sTT  (■  Z  (succ  (x) )  =FF 

isnat(X)sTT  (■  i  snat  (succ(x)  )=TT 

i  snat  (X)  =TT.  i  snat  (V)  sTT,  succ(X)  ssucc (Y)  |-  XeY 

g(0)=TT,  Vx.  i snat  (x) : : g(x) :  ;g(succ(x)  )eTT  f-  Vx.  i  snat  (x)  •• : g (x)  eTT 

which  approximate  PtANO  Axioms  for  natural  numbers.  I  use  the  word 
'approximate'  since  the  free  variable  'y'  in  the  induction  theorem  can  only  be 
instantiated  to  a  continuous  function.  However,  because  domain  of  individuals 
we  use  is  discrete,  if  F  is  any  function  on  just  the  natural  numbers,  it  can  be 
extended  to  a  continuous  function  by  defining  F (UU)  to  be  UU.  Hence  theorems 
which  follow  from  the  Peano  postulates  in  usual  logics  will  be  valid  (perhaps 
with  re lat i vi sat  ion)  in  this  LCF  environment. 


See  also  appendix  5  where  a  proof  of  the  induction  theorem  is  given  as 
an  example  of  a  technique  of  using  Scott  induction  to  prove  relativised 
assertions.  It  should  also  be  noted  that  this  induction  theorem  can  be  applied 
to  prove  assertions  of  the  form 

Vx.  i  snat  (x) : :  h  !x)  sk (x) 


by  instantiating  g  with  the  term  [\x.h(x)=k(x)3  and  proving 

h (0) =k (0) hTT,  Vx.  isnat(x)::  h(x)=k(x)::  h (succ(x) )  =k (succ (x) ) sTT  . 

Note  that  this  doesn't  mean  that  the  following  sentence  is  a  theorem: 

h (0) sk (0) ,  Vx. i snat (x) : :h(x) =k (x) : ; h(succ (x) ) =k (succ (x) ) 

}■  Vx.  isnat  (x) :  :h(x)=k(x) 

for  consider  tho  functions  h  s  [Xx.UUl  and  k  s  [Xx.Z(x)-*UU,0) . 


S 


» 
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Similarly,  the  instant  iat  ion  g*-(\x.h(x)-FF,TT]  means  that  the  theorem  can  toe 
applied  to  attack  goals  of  the  form 


Vx.  isnat(x)::  I,(x)-eFF 


Ue  would  now  like  to  argue  (informally)  that  there  are  no  non-standard 
r  models  satisfying  the  axioms.  We  already  have  that  succn(0)  toehaves  as  the 

integer  n  so  we  need  only  prove  that  the  set  {succn(0))  exhausts  the  set  of 
things  for  which  'isnat'  is  true. 

Reasoning  outside  LCF  we  can  say 

pred (x) sy, i snat (y ) eTT, i snat (x) =TT  (•  xssucc(y)  is  provable: 

Hence,  for  any  integer  n, 

«£  predn(X)s0,  isnat(X)=TT  j-  Xssuccn(3)  is  provable; 

But  we  know  from  the  recursive  definition  of  isnat 

if  isnat (X)sTT  then  predn(X)s3  for  some  n; 

So  isnat (X)  implies  X=succn(8/  for  some  n. 


SI 
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It  is  clear  from  the  various  preceding  comments  that  the  set  of  axioms 
given  is  consistent  and  a  faithful  representation  of  the  natural  numbers.  He 
now  consider  redundancy  in  the  axioms  and  note 

4.2  is  terse  and  basic;  Without  it  is  is  not  possible  to  derive 
isnat (0)eTT  or  even  that  there  exist  any  natural  numbers; 

4.4  may  not  be  condensed  to  Vx.  Z(x)-*0,  succ(predlx)  )«x  as 
there  may  be  elements  in  the  domain  of  individuals  on  which 
'pred'  is  undefined  and  so  (noting  that  succ(UU)eUU  will  be 
derivable)  we  get  a  condradict ion. 

4.4  cannot  be  weakened  to  either  of  the  sentences 

Vx.  succ  (pred (x)) ex  ;  Vx.  isnat(x);;  succ  (pred  (x) )  ex 
without  making  a  comm i tr, lent  to  the  existence  of  an  element 
given  by  pred(0).  It  the  axioms  are  to  be  used  as  a  base  for 
the  integers  this  is  OK  but  if  the  only  numbers  are  to  be  the 
natural  numbers  then  we  would  want  prod(0)sl)U  to  be  true. 

4.5  is  r  xled  to  get  tne  distinctness  of  succm(0)  and  succn(0); 

Without  the  axiom  at  all,  it  is  not  possible  to  show  that  0 
and  l  are  not  the  same  element.  With  only  Z (1 ) sFF  in  its 
place,  it  cannot  even  be  reasoned  that  0  and  succ (succ (0) ) 
are  distinct; 

4.C  is  a  basic  property  which  cannot  be  derived  from  the  other 
axioms. 

It  should  be  noted  that  the  functions  'succ'  and  'pred'  are  only 
partially  specified  in  the  natural  number  axioms  since  we  want  them  to  be 
defined  appropriately  when  we  axiom3tize  the  set  of  integers  (both  positive  ^nd 
negat i ve) . 

Care  has  been  taken  in  assembling  the  appendix  of  theorems  to  exhibit 
the  role  that  equality  plays  in  the  axi  omat  i  sat  i  on.  The  first  group  of 
theorems  depends  only  on  axioms  4.2  to  4.8  which  do  not  mention  equal  i  ty  or 
definedness.  The  later  theorems  require  the  equality  axioms  and  4.1  as  well 
for  their  demonstration. 
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5.  INTEGERS  AND  ARITHflETIC 

SC  St'.SBBSCC  BBC  r!BBB  =  =  =BCe 

s'.-**AX  5. 1  Vx.  isnat(x)::  po5(x)=Z(x)-FF,TT 

***AX  5.2  Vx.  pos(x): :  isnat (x) eTT 

■/;vW;AX  5.3  Vx.  pos  (inns  (x)}  2  poo(x)-FF,2(x)-«FF,TT 

vAX  5.  A  Vx.  pos  (x) -*TT.  TT  2  isint  (x)-*TT,UU 

***AX  5.5  Vx.  i&int  (x)-*Mns(ians(x))  ,r.insIx)sisint(x)-»x,UU 

AX  5.  G  Vx.  succ  (x)smns(pred (inns  (x) ) ) 

*** AX  5.7  Vx.  pred(x)  snins  (succ  (mns  (x) ) ) 

AX  5.S  ( \x .  i  s  i  n t  ( x)  -»TT ,  TT]  s  & 

The  interpretation  intended  here  is  that  a  positive  integer  'n'  ,  say, 
is  represented  toy  succn(8)  and  that  a  negative  integer  '-m' .  say,  is 
represented  L"j  predm(3).  Obviously  'mns'  is  the  unary  minus  operator  and  'pos' 
is  the  greater-than- zero  predicate.  Appendix  six  gives  a  large  collection  of 
basic,  but  useful,  theorems  provaole  from  the  axioms  of  sections  3,4,5.  Note 
that  the  functions  'isnat',  'pos'  'mns',  'succ'  and  'pred'  are  all  undefined 
where  'isint'  isn't  true. 

Just  about  all  that  will  toe  claimed  about  the  above  axioms  for  integers 
in  LCF  is  that  they  are  consistent  (since  each  is  true  in  the  standard 
intepretation  of  the  integers)  and  the  usual  theorems  can  toe  proved  using  them. 
Because  they  are  just  a  bunch  of  suitable  properties  which  together  do  the  job, 
no  individual  deserves  comment. 

It  is  readily  demonstrated  that  (  succn'0)  J  U  (  predm(0i  }  is  the 
same  set  as  (  x  |  isint (x)hTT  }  as  follows: 

Suppose  isint(X)sTT  ; 

From  AX5.4  we  get  that  pos. (X)  must  be  TT  or  FF; 

If  pos (X) sTT  then  isnat(X)sTT  and  so  Xssuccn(0)  for  some  n>0; 

If  pos  (X)  sFF  then  i  snat  (rnns(X)  )sTT  and  so  mns  (X)  Esuccn  (0)  for 

some  n>0  giving  Xsmns ( succn (8) ) : 

But  [Xx.mns(succ"(x))]s  [Xx.  pred  urns  (x))j  so  we  get  X3predn(3); 

Hence  isint (X) sTT  implies  Xe succn(3)  v  Xspredn(0)  for  some  n>0. 

Also  we  see  that  i sint (succ"1  (8) )sTT  for  all  m>0  from  the  theorem 
i  s  i  n t  ( X )  s T T  |-  i  sint  (succ (X) )  sTT 

and  isint(pr-?'dm(0))sT7  for  all  m>0  from  the  corresponding  theorem 
isint  (X)sTT  \-  isint  (pred  (X)isTT  . 

Although  none  of  the  theorems  of  appendix  G  are  deep,  one  can  see  how 
many  important  simple  relations  there  are  between  the  objects  axiomatised  in 
this  section. 

The  main  induction  theorem  for  integers  is  simply  stated  thus:- 

g(0) hTT, Vx,  i  sint  (x) : : g (succ  (x)  i=g!x)  Vx.  i  sint  (x) : ; g (x)  =TT  . 

To  prevent  confusion  arising  from  the  similarity  between  this  theorem  and 
the  induction  principle  for  natural  numbers,  note  the  following  NON- theorem: - 

g  (8) sTT,  Vx.  i sint  (x) : : g(x) : : g (succ (xi  i  =TT  j-  Vx.  i si nt  (x) : : g (x)  =TT 


The  discussion  of  the  corresponding  induction  principle  for  natural 
numbers  introduced  a  technique  which  is  appropriate,  in  this  section  also  for 
attacking  goals  of  the  form  Vx.h(x)=k(x)  using  such  a  rule.  That  was  to 
instantiate  the  V  of  the  theorem  with  the  term  [Ax.h(x)=k(x)l .  Practice 
shows,  however,  that  it  is  economical  to  restate  the  theorem  so  as  to 
incorporate  the  idea 


h (0) =k  (0) , 

Vx. i sint (x) :  :3(h (x) ) =TT, 

Vx. isint(x)::cUk(x))=TT. 

Vx.  isint(x)::  (h(x)=k (x) ) : : h (succ (x) )=k(succ(x) ) , 
Vx.  isint(x)::  (h (x)  =k (x) ) : : h(pred(x) )  =k (pred(x) ) , 
f-  Vx.  isint(x)::  h(x)=k(x); 


Although  this  is  considerably  more  cumbers 
antecedents  must  be  proved  any  either 
having  to  prove  by  nested  cases  arguments 


ome,  each  notion  expressed  by  the 
case  and  so  the  economy  lies  in  not 


Vx.  i  S  i  nt  (x)  :  :  (h (x)  *k  (x) )  =  (h (succ  (x) )  =k (succ (x) ) ) 


With  the  integers  axiomatised  satisfactorily, 
of  the  basic  arithmetic  functions  and  pred i cates: - 


we  proceed  to  definition 


Funct ions: 


aaDEF  5.9 

aaDEF  5.10 
aaDEF  5.11 

aaDEF  5.12 
aaDEF  5.13 


+  =  [aG.  [Ax  y,  Z(y)-*isint(x)-*x,UU, 

pos (y) -G (succ (x) , pred (y) ) ,G(pred (x) , succ(y) ) ] ] 
-  s  [Ax  y.x+mns(y)3 
*  E  laG.  [Ax  y.  Z(y)-»isint(x)-*0.UU, 

pos (y)-G(x. pred (y))+x,  G (x, succ (y) )  -x]  ] 

/  e  (aG.  [Ax  y.  Z(y)-*UU.Z (x)-»( i sint  (y) -»0,  UU) , 

pos (x) -pos (y) -  pos (y-x)-3,  succ (G(x-y,y) ) , 
inns  (G  (x,  i.ins ( y ) ) ) ,  mns  (G  (mns  (x) ,  uj )  ]  ] 
<•-  s  [\x  y.  x  —  ( ( x/y ) *y )  ] 


aaDEF  5.14 
aaDEF  5.15 

Pred i cates: 


Fac  =  [<*G.  [Ax.  Z(xM,|>os.(x)-.xaG(x-1),UU]  3 
Look  -  [ocG.  (Ax  f  p.  p(x)-x.G(f  (x) ,  f . p) 3  ] 


aaDEF  5.1G  >  =  [Ax  y.  pos(x-y)] 

aaDEF  5.17  >  =  [Ax  y,  Z  (x-yi-»TT,  pos  (x-y) ) 

AaDEF  5.18  <  s  [Ax  y.  y>x] 

AADEF  5.19  <  =  [Ax  y,  y>x] 


aaDEF  5.20 
aaDEF  5.21 
aaDEF  5.22 
aaDEF  5.23 
aaDEF  5.24 


even  =  [Ax.  Z(xe2)3 
odd  s  [Ax.  Z (xe2)-FF, TTj 

buq  h  [ocG.  [Ax  y  p.  (x>yj-TT,p(x)-.G(x+i,y,p)  ,FF1] 
beq  s  [ocG.  [Ax  y  p.  (x>y)->FF,p(x)->TT,G(x+l,y,p)]] 

Pr  5  [Ax.  [Ay,  (y>l  >  -*  buq(2,y-l,  [Az.  (y®z) -0-»FF,  TT] ) , 
FF] (x>3  -x, mns (x)) 3 


O 


Most  of  these  definitions  are  self  explanatory  and  the  others  become 
oLvious  with  a  few  points  of  explanations- 

i)  '/'is  integer  division,  of  course,  and  'o'  is  the  'mod' 
operator  which  gives  remainder  on  division.  These  are 
defined  in  the  normal  manner  for  positive  integers  and 
are  extended  (to  operations  involving  negative  integers) 
in  such  a  way  that  the  sign  of  x/y  is  always  appropriate 
algebraically  and  the  sign  of  x®y  is  the  same  as  the 
sign  of  x.  Th i s  choice  c-naoles  the  reconstruction  of  a 
number  from  its  quotient  and  remainder  (with  respect  to 
a  given  divi sor  ) . 

ii)  'Fac'  is  the  factorial  function  and  is  only  defined  for 
non-negative  integer  arguments. 

iii)  Look(x,f,p)  yields  the  first  integer  y  (if  any)  in  the 

sequence  (x,  fx,  ffx,  fffx . )  which  satisfies  the 

predicate  p  (provided  no  previous  member  of  the  sequence 
caused  p  to  yield  UU) . 

iv)  'buq'  stands  for  Bounded  Universal  Quant  if er  and  'beq' 
denotes  Bounded  Existential  Quantifier  ar,d  are  meant  to 
take  the  place  of  regular  quantifiers  in  numeric  proofs. 

The  importance  of  buq  comes  from  the  pair  of  theorems: 

buq (X,  Y,  p)  sTT  [•  Vr.  2>X:  :Y>z:  :p(z)sTT 
Vz.2>X::Y>z::p(z)eTT  (•  buq(X,Y,p5sTT 

A  similar  result  for  'beq'  is  expressable  as  the  meta- 
theorem  that  (Provided  p  is  total  on  the  range  <X,Y>  ) 
beq(X, Y,p)sTT  IFF  3  integer  in  <X,Y>  that  satisfies  p. 

The  totality  proviso  in  this  result  is  essential,  for  if 
p(n)sUU  and  p(n+l)=TT  then  beq(n,n+l,p)sUU  even  though 
there  does  exist  an  integer  in  the  range  which  satisfies 
the  given  predicate. 

Although  the  predicate  which  gives  TT  exactly  when  there 
is  an  appropriate  element  in  the  range  is  definable  as 
(ccG.  (Xx  y  p.x>y-»TT,p(x)vG(x+l,y,p)]]  , 

DEF  5.23  is  preferred  because  of  the  useful  relationship 
between  that  version  of  beq  and  the  Look  function. 

v)  Pr(x)  is  TT  if  either  x  or  mns(x)  is  a  natural  number 
which  is  prim-  in  the  usual  sense  (not  1).  Pr  is  a  total 
predicate  over  the  integers. 

v  3 )  Note  that  all  the  functions  and  predicates  take  at  least 
one  argument  which  is  of  type  'individual'.  All  these 
functions  (except  Look)  become  undefined  when  applied  to 
individuals  which  are  not  integers. 
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Appendix  7  contains  a  rather  large  collection  of  results  that  f o I  Ion 
from  the  results  on  integers  ana  the  definitions  listed  above.  There  are  basic 
theorems  about  all  of  the  functions  and  predicates  except  <  and  <  .  If  a 
problem  contains  these  predicates  then  tr.e  definitions  5. IS  and  5.19  should  be 
applied  to  transform  the  goals  to  ones  containing  >  and  >  . 


Ue  have  already  introduced  2  mathematical  induction  theorems  which 
require,  for  their  application,  steps  of  tne  forms; - 

g(x)  (-  g (succ (x) )  cj(x)  |-  gipred(x)) 

Suchi  statements  are  often  as  inconvenient  to  prepare  as  the  result  ne  wish  to 
establish.  Actually,  we  want  to  model,  in  l.CF,  that  form  of  mathematical 
induction  given  (in  predicate  calculus)  by:- 

(Vx.  (  Vy.  [y<x  a  y>3]  o  p  (y)  )  3  p (x)  }  3  [Vx.  x>0  :>  p(x)I 


The  obvious  problem  about  what  do  with  this  in  LCF,  is  what  to  do  with  the 
nested  quantifiers.  Fortunately,  the  nested  quantifier  is  bounded  and  so  we  get 
the  LCF  version  of  the  theorem  ass- 

Vx.  x>0:j  Puq(0,x-l,P) :  ;P(x)sTT  |*  Vx.  x>3:  j  P(x)sTT 

Actually  a  more  primitive  form  of  the  theorem  was  needed  to  prove  certain 
results  about  division  which  preceded  the  work  on  relations  and  'bug'. 

Two  more  functions  which  will  be  similarly  treated  are  the  sum  and 
product  of  a  finite  sequence  -  the  big  SIGMA  and  big  PI  notation  of  analysis. 

aaDEF  5.25  Sum  s  [«G.  C\x  y  f.  y<x  -  0,  f  (x)+G (x+1, y, f ) I ] 

**DEF  5.26  Prod  =  taG. (\x  y  f.  y<x  -  1,  f (x)*G(x+l,y, f)] ] 


v; 


G.  LISTS  and  S-EXPRESSIONS 


SB  CS7.CC  BBS  BBSS' 


S  i  nee 

lists  are  a  special  case  of  S-expressions,  we 

ax i omat i sat i or 

of  the  more  general  object. 

a 

AX  G.I 

issexp(UU)  £  UU 

AX  G.2 

issexp(NIL)  —  TT 

DEF  G.  3 

null  =  [Xx.  x=NIL) 

vDEF  6.4 

atom  s  [Xx.  i  ssexp(x)-*nul  1  (x)  ,TT) 

**•.'< AX  6.5 

VX.  atom (X) : :  head(X)sUu 

**;\AX  G.G 

VX.  atom(X)::  tail(X)=UU 

G 

AX  G.7 

VX  Y.  head(cons(X,  Y)  )=ci(Y)-X,UU 

Vr.'r.'.’AX  G .  S 

VX  Y.  tai  1  (cons(X.Y)  )s.:U.X)-Y,UU 

**v.AX  G.9 

VX.  cons  (head  (X)  .tail  O.i  i  satom  (X)  -*UU.  X 

***AX  G.10 

cl  s  (txG.  t'.x.  atom(x)-TT,G(headix) )  — G (tai  1  (x) ) 

nith  an 


Note  first  that  AX  o.i  is  valid  for  all  domains  which  have  defined 
individuals  other  than  S-expressions  -  the  most  common  circumstance.  In 
situations  where  all  individuals  are  S-expressions  it  would  be  consistent  to 
say  that  i  ssexp(UU)  sTT  but  it  would  be  unlikely  to  give  any  advantage  over 
postulat  ing  i  ssexp(UU)=UU.  Hence,  fcr  the  saxe  of  proving  some  handy  theorems 
about  S-expressions  (which  must  be  true  whenever  NIL  is  not  the  only  atom)  we 
assert  G.i  instead  of  leaving  issexptUU)  unspecified. 

The  purpose  of  axiom  G.10  is  to  eliminate  (  from  models  )  any 
structures  which  are  infinite.  This  aiso  means  that  circularity  (which  is 
possible  in  LISP,  for  example)  is  ruled  out.  As  an  illustration  of  the 
implications  of  this  axiom,  a  theorem  is  proved  in  appendix  8  which  gives  that 
if  head(X)sX  then  XslIU.  A  more  complete  result  aoout  circularity  is  discussed 
below  using  the  notion  of  subexpression. 


There  is  one  other  debatable  point  about  these  axioms.  It  is  that  we 
have,  as  you  may  have  anticipated  from  the  earlier  discussion  of  equality 
between  individuals,  adopted  the  coc trine  of  discreteness  for  the  domain  of 
S-expressions.  The  opposing  point  of  view  is  that  a  term  such  as  cons(UU.X) 
(whicn  clearly  must  be  'under'  both  trie  terms  conslA.X)  and  cons(B.X)  for  any 
individuals  A  &  3)  is  not  the  same  as  UU  and,  moreover,  tai  I  (cons(UU.X)  )sX.  As 
far  as  the  relative  powers  of  the  opposing  systems  are  concerned,  it  seems  that 
most  theorems  are  identical,  but  there  are  a  some  notions  expressable  more 
simply  in  one  system  than  the  otr.er.  The  big  argument  in  favor  of  the  above 
set  of  axioms  is  tnat  with  discreteness  cores  the  notion  of  equality  as 
expounded  earlier.  The  only  tricky  part  aoout  amending  the  above  axioms  to 
allow  for  the  case  where  cons (L"J, X) *UU  is  the  problem  of  excluding  the  infinite 
S-expressions. 


i 
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Appendix  8  contains  theorems  about  the  functions  issexp,  nead,  tail, 
cons,  atom  and  null.  Ue  Mention  hare  only  an  induction  theorem  for 
S-expressions:  - 

Vx  y.  g ( x) : :  g (y) : :  g (cons (x, y) ) =TT, 

Vx  y.  atom (x)  s :  g(x)sTT  j-  Vx.  3 ( x ) : :  g(x)sTT 


Fol loning  LISP,  a  list  is  a  special  case  of  on  S-expression,  namely  one 
which  transforms  to  NIL  after  some  number  of  applications  of  the  tail  operator. 
As  such,  lists  are  easily  defined. 

av.-DEF  G.  11  isl  ist  s  taG.  (Ax.  nul  I  <x)-*TT,atom(x)-FF,G(tai  I  (x) )  ]  ] 

As  usual,  a  number  of  theorems  form  an  appendix  (3)  but  we  give  an 
induction  theorem  locally. 

Vx  u.  cl(x)::  islist(y)::  g(y)::  g(cons(x,y)  )nTT, 
g (NIL) hTT  h  Vx.  islist(x)::  g(x)sTT 


A  number  of  usual  operations  on  lists  and  S-expressions  are  given  with 
some  others  that  foreshadow  the  treatment  of  sets  in  the  next  section  of  this 
report. 

vV-.'.'DEF  G.12  rev  =  [XX.  revZ  (X,  MIL)  ] 

AvvDEF  G.13  rev2  s  [aG.  [Xx  y.  nul  I  (x) -y,G( tai  I  (x) ,  conslhead (x) ,  y) )  ]  ] 

**CEF  G.1A  &  s  [aG. [Xx  y.  nu  1  J  (x)-y.cons (head (x).G(tai  I  (x)  ,y))]] 

rtrtCEF  G.15  ANDmaps  [aG. [Xx  p.  i s I i s t ( x )  — 

(nul  I  ( x i  — T T , p (head tx) ) -G ( tai  I  (x) , p) , FF) , UU]  ] 
aaDEF  G.16  ORmap  s  [aG.  [Xx  p.  isiist(x)- 

(nul  I  (x)-FF.p(head(x)  )-*TT,G  (tai  I  (x)  ,p) )  ,UU]  ] 

Av'.DEF  G.  17  FNmap  s  [aG.  (Xx  f. 

(null  (x)-ML,  cor.s  ( f  (head  (x) ) , G ( tai  I  (x) ,  f ) ) )  ]  ] 

**DEF  G.  18  PRUNE  s  [aG. [Xx  p.null  (x) -NIL, p (read (x) )  «G( tai  I  (x),p) , 

cons(head(x) ,G (tai I (x) , p) ) ] ] 
a-.’.-DEF  6.19  mem  s  [.Xx  y.  3  (x) -ORmap (y.  [Xr.x=zl )  ,UU1 

•aaDEF  G.  23  memL  s  [Xx  y.  i  si  i  st  (y)-*ANDmap(x,  [Az. mem iz.y) ] )  ,UU1 

a*DEF  G.21  nemEQ  5  txx  y.  trenKx.yNmemLOj.x) , FF] 

v’.-VfOEF  6.22  memS  =  [Xx  y.  PRUNE  (x,  [\z.y*zl )] 

iVftDEF  G.23  nemSL  s  [Xx  y. PRUNE  (x.  [xz.nemir.yH  )1 

**DEF  G. 24  subexps  [aG. [Ax  y.  (x=y)-TT,  atom (y) -FF,  G(x,head(y)  )-*TT, 

G(x, tai I  (y) ) 1 1 

AvvDEF  G.25  assoc  5  [aG.  [Xx  y.  3(x)-  isiist(u)-»  nul  I  (y)^NIL, 

x=head  (head  (y)  )-»r.eed(y)  ,G(x,  tai  I  (y) ) ,  UU,  UU11 
■.y.vDEF  6.25  forL  s  [aG.  [XL  f  f N I L .  nul  I  (Ll-fNIL. 

f (head (L) ,G( tai 1 (L),f, fNIL))]] 

**CEF  G.27  nodes  e  [aG.  [XX. atom(X )-0. succ(G (head (X) ) +G( tai I (X) ) ) ] ] 

**0EF  G.  28  lengths  [aG.  [XX.  nu  I  I  (X)-*3,  succ  (G  ( tai  I  (X) )  )1  ] 
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The  function  'rev'  is  the  function  whicn  produces  a  list  which  is  the 
reverse  of  the  argument  list  and  is  defined  in  the  traditional  wau  (using  an 
auxiliary  function  'rev2').  'S',  the  append  function  is  defined  os  the  fixpoint 
of  the  appropriate  computation.  It  is  proved  (see  appendix  10)  that  'S'  could 
have  been  defined  by  : 

&  s  (Ax  y.  rev2 (rev (x) , y) ] , 

Various  basic  properties  of  these  two  important  functions  are  to  be  found  in 
appendix  10.  Note  that  the  second  argument  of  need  not  be  a  list  for  the 
function  to  be  defined.  However,  the  following  result  is  readily  proved  (and 
a  similar  remark  applies  to  Yev2'  ) : 

VX.  i  s  I  i  st  (X) : :  i  s  I  i  st  (XSY)  si  si  i  st  (V) 


The  predicate  ANDmap  is  used  to  describe  situations  in  which  all  the 
elements  of  a  list  satisfy  some  predicate.  The  computation  is  performed  by 
applying  the  predicate  to  each  list  el  orient  in  turn  until  the  end  of  the  list 
is  reached  (and  the  result  is  TT)  or  until  an  element  is  encountered  which  does 
not  satisfy  the  predicate.  This  method  of  computation  means  that,  for  example, 
ANDniap(X.p)  may  be  undefined  because  p(y)sUU  for  some  object  y.  Because  of 
this  fact,  many  of  the  basic  theorems  about  ANDmap  are  based  on  the  assumption 
that  the  predicate  is  total.  The  predicate  ORrr.ap  is  the  disjunctive  analogue  of 
ANDmap.  The  motivation  for  developing  these  predicates  was  to  aid  in  the 
development  of  some  of  the  later  list  operations.  There  are  many  theorems 
proved  (see  appendix  10)  which  describe  the  the  interaction  between  these  two 
maps  and  'rev'  (or  '&' ) . 

FNmap  is  simply  a  function  on  lists  which  applies  a  function  to  each 
member  of  the  argument  list.  PRUNE  is  a  function,  also  just  defined  for  lists, 
which  removes  from  the  arument  list  those  elements  which  satisfy  some 
predicate.  As  examples,  FNmap (X, (Ay. y*21 )  would  double  every  element  of  a 
(numeric)  list  X  and  PRUNE (Y, (Ax. x<8) )  would  remove  every  negative  element 
from  a  (numer ic)  I i st  Y. 

The  group  of  operations  G.1S  to  6.23  are  concerned  with  membership  in 
lists  and  are  crucial  to  the  theory  of  sets  given  in  the  next  section. 
mem(x,l)  will  be  true  whenever  x  is  one  of  the  elements  of  list  L.  It  is  shown 
in  the  theorems  that  the  following  is  an  alternate  definition  of  'mem' : - 

mem  s  (ocG.  (Ax  y,  islist(y)-*  nuli(y)-*  6(x)-FF,UU 

(x=head(y) )-TT,G(x,  tai I (y) ) ,  UUI ] . 

mernMX.Y)  will  be  TT  whenever  ALL  the  elements  of  list  X  are  members  of  list  Y 
also.  The  following  is  an  alternate  definition  for  'inemL':- 

memL  s  (aG.  (Ax  y.  islist(u)-*  islist(x)-* 

nul  I  (x)-*TT,  mem  (head  (x)  ,y)-G(tai  I  (x)  ,y)  ,FF,  UU,  UU]  ] . 

memEQ(X.Y)  simply  indicates  whether  two  lists,  X  and  Y,  have  the  same  elements 
(independent  of  the  order  or  multiplicity  of  those  elements),  memS(L,X)  deletes 
all  elements  of  list  L  which  are  occurrences  of  the  object  X  while  memSL (L,H) 


deletes  all  elements  of  list  L  which  are  also  elements  of  list  N. 
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The  function  'subexp'  is  principally  used  to  indicate  the  imbedding  of 
one  5-expression  in  another.  subexp (X.Y)  is  TT  exactly  when  some  sequence 
(possibly  null)  of  head  ano  tail  operations  ta*e  object  Y  into  object  X.  Thus 
if  Y  i  s  an  S-expression  then  subexp  iX. Y)  indicates  that  X  is  imbedded  in  Y 
(at  least  once)  but  if  Y  is  an  atom  then  subexp(X.Y)  indicates  that  X  is  the 
same  atom.  Ue  are  now  able,  using  this  new  notion,  to  prove  in  LCF  the  non- 
existence  of  certain  infinite  S-expressions. 

subexp (X, Y) : :  subexp(Y.X) : :  XsY 

The  infinite  lists  forbidden  by  this  tnecrem  are  the  ones  which  in  LISP  could 
be  i  epresented  using  circularity. 

The  function  'assoc'  is  purely  LISP- inspired  and  could  be  useful  where 
some  association  technique  is  appropriate  to  a  proof.  An  alternate  nay  of 
defining  'assoc'  would  be  as:- 

assoc  s  [Ax  y.  locf;L(y,  i\z.head(z)=x] )] 

where 

look!  s  [a3.  [AL  p.  i s I i st (L)-nul I (L)-NIL, 

p  (head  (L )  )-*head(L) ,  G  ( t  a  l(L),p),  UU) ) 

is.  in  general,  a  more  useful  function.  However,  such  a  function  which  looked 
for  the  first  element  of  a  list  to  satisfy  a  given  predicate  could  be  more 
suitably  defined  since  with  this  definition  lookL (X, p) =NIL  could  mean  EITHER 
p (NIL) s T T  and  NIL  is  a  member  of  X  On  that  no  element  of  X  satisfied  P. 


The  function  'forL'  is  a  device  for  simplifying  definitions  of  other 
functions  which  take  a  list  as  their  only  argument  and  which  compute  from  the 
tail  of  the  list  to  the  head.  As  an  example,  the  sun  of  the  elements  of  a 
numeric  list  X  is  given  by  forLIX.+.B)  while  the  product  is  given  bu 
forL(X,*,l).  One  could  also  give  slightly  more  compact  definitions  of  'PRUNE' 
and  'FNmap'  (and  predicates  which  are  similar  to  'ANDmap'  and  'OFlmap' )  using 
'forL'. 

The  function  'nodes'  counts  the  subexpressions  of  an  S-exprn.  which  are 
not  atomic  or  the  number  of  nodes  in  a  tree  representation  of  the  S-exprn. 
'length'  is  simply  the  number  of  elements  in  a  list  and  could  have  been  defined 
(to  further  illustrate  'forL'):- 

length  h  [Ax.  forL (x.  [Ay  z.z+D.G)]. 

These  last  two  functions  (  which  are  the  only  ones  to  refer  to  the  notions 
developed  for  arithmetic  i  are  net  expounded  in  e  appendix  but  the  usual 
properties  clearly  follow  from  the  definitions  and  the  arithmetic  environment 
already  constructed  and  described. 
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7.  FINITE  SETS 


Sets  turn  out  to  be  quite  hard  to  categorise  in  LCF,  even  finite  ones. 
The  difficulty  arises  from  the  lack  of  existential  quantifiers  or  the  lack  of 
nested  quantification,  depending  how  you  look  at  it.  The  problem  occurs  even  as 
soon  as  you  try  to  define  the  empty  set  and  give  its  properties.  Ue  can  easily 
express  that  nothing  is  in  this  set  (call  it  NS)  by  the  wff  Vx.  B(x)::  xcNShFF 
but  when  we  come  to  say  that  the  null  set  is  the  ONLY  set  in  which  there  is 
nothing,  we  find  no  simple  way  to  express  the  sentence 

Vx.xcAsFF  [■  AsNS  as  a  well-formed  formula  of  LCF. 
Recall  that  the  form  of  an  axiom  in  LCF  is  a  UFF  -  not  s  sentence. 


The  solutions  we  discovered  to  the  above  problem  all  involved 
axiomatising  a  choice  function  for  sets  which  would  pick  some  element  from  any 
set  it  was  applied  to.  However,  using  this  notion,  several  developments  of  the 
theory  are  possible.  Because  of  the  enormous  economy  involved,  we  have  based 
our  set  theory  on  transformations  between  sets  and  lists.  The  choice  function 
involved  is  the  taking  of  the  head  of  the  list  that  a  given  set  maps  into  (see 
the  function  'select'  defined  below). 

The  transformation  functions  are  'listof'  and  'setof'  and  are 
axioniatised  as  follows;  note  that  finiteness  is  automatic  since  lists  were 
axioniatised  to  be  finite. 


ftftftAX  7.1 
ftftftAX  7.2 
Aft* AX  7.3 
*ft*AX  7.4 
ftftftAX  7.5 


[Ax.  i  sset  (x) -*TT,  TT]  s  3 
Yx.  i  sset  (setof  (x)  )h ( i  si  i  st  (>c)-*TT,UU) 
Vx.  i  si  i  st  ( I  i  stof  (x) )  s  ( i  sset  (x)->TT,UU) 
Yx.  setof  ( I  i  stof  (x) )  s  (i  sset  (>:)-*x,UU) 

Vx  y.  memEQix.y)  =  setof (x)=setof(y) 


Note  that  these  axioms  do  not  imply  that  sets  are  disjoint  from  lists, 
S-expressi ons  or  any  other  data  type  that  may  be  part  of  individuals.  In  fact 
it  is  not  inconceivable  to  identify  sets  with  the  lists  to  which  they  map  by 
'listof'.  However,  all  that  is  needed  to  ensure  disjointness  is  an  axiom  like 

Vx.  isset(x)::  i ssexp (x) sFF 


Uith  these  notions,  we  easily  DEFINE  all  the  usual  operations  on  sets 
in  terms  of  the  list  membership  functions  and  predicates  defined  in  the  last 
section.  Ue  start  with  some  basic  ones:- 


ft*DEF  7.8 
>v*DEF  7.7 
ftftDEF  7 , S 
ftftOEF  7.9 
ftftDEF  7.10 
**QEF  7,11 
ftftDEF  7.12 
ftftDEr  7.13 


NS  s  setof (NIL) 

c  a  [Ax  y.  meni(x,  I  i stof  (y) ) 3 

subset  a  [Ax  y.  rnemL(  I  i  stof  (x) ,  I  i  stof  (y) )] 

U  s  [Ax  y. setof ( I i stof (x)SI i stof (u) ) 3 
\  s  [Ax  y.  setof  imemSL  ( I  i  stof  (x) ,  I  i  stof  (y) ) ) ) 

0  a  [Ax  y. setof tnemSL ( I i stof  (x) , I i stof (x\y) ) ] 
select  a  [Ax.  head ( I i stof (x) i 3 
singtn  a  [Ax.  setof (cons (x, NIL) )) 
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With  regard  to  these  definitions,  it  will  suffice  to  note 


i)  NS  i s  to  be  taken  to  be  tho  null  (or  empty)  set; 

ii)  is  the  set  membership  predicate; 

iii)  XUY  denotes  the  union  of  the  sets  X  and  Y; 

iv)  XflY  denotes  the  intersection  of  the  sets  X  and  Y; 

v)  'V  is  the  set  subtraction  operation; 

vi)  'select'  is  the  choice  function  for  picking  elements 
from  non-empty  sets; 

vi  i )  si ngtn(X)  denotes  the  set  wi th  X  as  i t's  only  element. 

The  definitions  just  given  are  the  bas  c  set  operations  for  which 
theorems  have  been  proved  in  LCF  (for  this  project).  Appendix  twelve  contains 
theorems  relevent  to  these  operations. 


There  are  many  theorems  displayed  in  appendix  12  but  consider  how 
similar  the  following  short  collection  of  provable  results  is  to  the  usual 
predicate  calculus  axioms  for  set  theory.  In  fact,  it  is  possible  to  prove  all 
the  other  results  of  appendix  12  (  except  those  that  mention  the  functions 
'listof'  or  'setof')  just  from  these  theorems.  Can,  therefore,  these  sentences 
be  taken  as  an  alternate  basis  for  a  set  theory  in  LCF?  No!  Two  of  these 
theorems  have  universal  quantifiers  in  the  assumptions  and  as  noted  earlier, 
only  sentences  with  no  assumptions  are  admissable  as  axioms.  Note  another 
di  sadvantage;  none  of  the  set  operations  are  introduced  by  explicit 
def i n i t i on. 


[Ax.  i  sset  (x)  -*TT,  TT)  =  3 
VX  Y.  XeY-*TT,TT  s  d (X) -* ( i  sset  (Y)-*TT,LiU)  ,UU 
i  sset  (Y)  =TT,  VU.  UeX  e  UcY  (•  X  =  Y 
a (X)  =  TT  I-  XcNS  -  FF 

VX  Y.  subset  (X ,  Y) -»TT ,  TT  e  i  sset  (XM  i  sset  (Y)-*TT,UU)  ,UU 

issetfXJsTT,  i sset ( Y) bTT ,  VU.  UeX;;  UcYsTT  [■  subset (X, Y) sTT 

subset  (X.Y)sTT  |-  VU.  UcX::  UeYsTT 

VU  X  Y.  Ue  (Xu Y)  =  (UeXN  i  sset  (Y)-»TT.UU.  (Ue  Y)-*TT,FF 

VU  X  Y.  Ue  (X\Y)  b  (UeX)-*  (UeY)-*FF,  TT.  i  sset  (Y)-*FF,UU 

VU  X  Y.  Ue(XfiY)  «  (UeX)^  (UcY)-TT.FF,  i  sset  iY)-*FF,UU 

VU  X.  Uesingtn(X)  s  8(U)-*(  i  sset  (X)-(U=X)  ,UU)  ,UU 
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There  are  some  other  very  important  set  operations  which  have  been 
defined  appropriately  (see  below)  but  (mainly  because  of  lack  of  time)  no 
rigorous  development  of  their  properties  has  been  done. 

**DEF  7.14  forSH  tocG.  [XS  f  fNS.  (x=NS)-*fNS,  f  tse  I  ect  (x) , 

G (x\si ngtn (select (x) ) , f, fNS)  )  )1 

**DEF  7.15  Un  s  [Xx. forS(x, [Xy  z.yUz) ,NS)1 

**DEF  7.16  In  s  (Xx. forStx,  [Xy  z.yHz] . x) 3 

**DEF  7.17  reduces  [Xx  p.  forStx,  iXy  z.  p (y) -*s i ngtn (y) Uz, zl , NS) 3 

Vti'.'DEF  7.18  seq  s  [\x  p.  (reduce (x,p) -NS) -FF.TTl 

a*DEF  7.19  suq  s  [Xx  p.  reduce (x,p) =x  ] 

**DEF  7.20  PS  *  IaG.  IXx.  forStx, [Xy  z.G (x\y) Uz3 , si ngtn (x) >33 

Vf*DEF  7.21  Caros  [Xx.  forStx.  [Xy  2. z+13 . 0)  1 


where,  in  words, 

i)  forS  is  just  an  important  auxiliary  function; 

ii)  Un (X)  is  the  n-way  union  of  all  the  sets  that  are  in  X; 

i»j)  I n (X)  is  the  n-way  intersection  of  the  elements  of  X; 

iv)  reduce (X, p)  is  used  to  denote  the  set  which  in  normal 
notation  is  written  (  z  |  zcX  a  p (z)  ); 

v)  'seq'  denotes  Set  Existential  Quantifier  &  seq(X,p)eTT 
when  there  is  a  member  of  X  which  satifies  predicate  'p' 
and  'p'  is  defined  on  the  rest  of  the  set; 

v  i )  'suq'  denotes  Set  Universal  Quantifier  and  seq(X,p)sTT 
iff  predicate  V  is  TT  on  all  elements  of  set  X; 


vii)  PS  is  the  power  set  function; 

iix)  Card  is  the  cardinality  function  for  sets. 


8.  CONCLUSION 


<* 


AX  I  OriAT  I  SAT  I  ON  TECHNIQUES. 

In  this  work  certain  techniques  were  used  in  axiornatising  various 
mathematical  notions.  To  illustrate  these  we  take  an  abstract  examples 
"Axiomatise  boops  using  the  previously  axi  ornat  i  sed  notion  ot  beeps  ! 11 


r. 
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Ue  start  working  with  the  assumption  that  there  will  be  things  in  the 
domain  of  individuals  that  are  not  boops  ,  not  beeps  (which  may  overlap  with 
the  set  of  boops)  and  are  not  anything  that  is  mentioned  in  the  axioms  that 
the  'Poop  axioms'  will  depend  on.  This  assumption  means  that  many  theorems 
about  boops  will  have  to  be  relativised  but  it  also  guarantees  that  we  will 
be  able  combine  such  groups  of  axioms  without  fear  of  inconsistency. 
Re  I  at  i  v  i  sat  i  on  is  only  possible  if  there  is  a  predicate  'isboop'  which  will 
be  true  only  on  boops.  Ue  will  probably  want 

8  s  [Xx.  i sboop (x)-*TT, TT) 

to  be  true  and  if  this  is  not  provable  from  the  other  'boop  axioms'  then 
thought  should  be  given  to  making  it  an  axiom.  In  the  preceding  sections  this 
result  was  provable  for  i  ssexp, i $  I  i  st,  introduced  as  an  axiom  for  isint.isset 
but  not  even  true  for  isnat. 

Then  the  various  functions  and  predicates  which  are  peculiar  to  boops 
are  axiomatised  paying  special  care  to  do  so  by  means  of  explicit  definitions 
wherever  possible. 
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DISJOINTNESS  OF  DOMAINS 

In  the  development  of  the  environment  so  far.  nothing  has  been  said 
about  disjointness  of  lists  and  integers,  say.  Before  the  theories  here 
developed  as  modules  can  be  used  usefully  as  a  unified  whole,  another  axiom 
must  be  supplied  to  insure  that  any  appropriate  disjointness  is  provable. 


As  an  example  of  what  is  required  in  general,  we  give  now  an  axiom 
that  guarantees  the  disjointness  of  integers,  S-expressions,  sets  ana  beeps; - 


Vx.  isint(x)- 


i  ssexp (x) -*UU,  i  sset  (x)-*UU,  i  sbeep  (x)->UU,x 
i  ssexp  (x)  -*  i  sset  (x)  -*UU,  i  sbeep  (x)  ->UU,  x 
isset(x)-»  i  sbeep  (x)-»UU,  x 

i sbeep (x)->x, UU  s  x. 
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PROJECT  STATISTICS. 

U 

T tie  total  line  count  for  the  (.‘roots  of  the  1033  (approx.)  theorems* 
given  in  the  appendices  stands  at  about  L'3.033  using  only  those  features  of 
'version  1'  LCF  (that  is  the  proof  checker  that  is  deer i bed  in  the  1372 
manual  [1],  The  total  epu  time  used  was  about  S3  hours  and  the  human  effort 
involved  was  about  8  man-nonths  (all  of  which  was  spent  at  a 
time-sharing-system  console).  The  figures  for  man  and  computer  effort  should 
be  interpreted  in  light  of  the  fact  that  much  of  the  proving  had  to  be 
re-done  because  of  a  revision  of  the  axioms  (  After  about  15,323  lines  of 
proof  some  i improvements  in  the  axioms  were  deemed  essential  and  so  about  6 
man  weeks  of  effort  was  expended  to  alter  the  proofs). 

o 

These  statistics  provide,  I  believe,  a  valuable  benchmark  against 
which  to  measure  the  effectiveness  of  logics  and  aids  for  proof  generation. 
It  is  proposed  in  the  near  future  to  use  at  least  some  of  these  proofs  to 
gauge  some  proposed  amendments  to  the  input  language  of  the  proof  checker. 


INCOMPLETENESS. 

Inspection  of  the  theorems  concerning  the  concept  of  Integer 
Primeness  immediately  reveals  that  the  the  ones  given  are  only  the  trivial 
properties  of  'Pr'.  It  was  also  notec!  in  sections  S  and  7  that  no  properties 
are  given  for  some  of  the  quite  important  operations  that  are  defined  on 
lists  and  sets.  There  are  a'so,  undoubtably,  many  powerful  and  useful 
theorems  for  the  other  areas  which  remain  unstated.  Although  this 
incompleteness  dictates  that  a  user  may  in  certain  circumstances  be  obliged 
to  prove  further  resul  ts,  ’work  on  expanding  the  theorem  base  (for  its  own 
sake)  has  been  stopped  because  the  point  of  diminishing  returns  has  been 
reached.  The  future  development  of  this  mathematical  environment  will  be 
accomplished  by  individuals  enunciating  theorems  as  required  and  supplying 
the  proofs. 

Another  important  reason  for  only  adding  (proved)  theorems  as  they 
are  needed  is  that  a  new  version  of  the  LCF  checker  will  appear  (sooner  or 
later)  and  will  incorporate  features  which  will  make  the  task  of  generating  a 
proof  more  automatic  and  so  much  shorter.  There  is  also  the  possibility  that 
the  typed  logic  will  be  replaced  by  the  type  free  theory  proposed  by  Scott 
and  so  the  whole  treatment  would  have  to  be  redone  (aside:  this  would  take 
much  less  than  the  8  man-  months  quoted  here  because  the  proof  outlines  are 
all  done  and  the  proof  checker  would  be  better  -  3  months  is  an  upper  limit). 


( 
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G  TO  USE  THE  ENVIRONMENT. 

Inevitably  some  readers  i;ill  want  to  make  use  of  theorems  from  the 
appendices  of  this  report  i the  Stanford  AI  project  POP10  system,  The  axioms 
are  located  in  a  file  called  AXIA  on  (TH.MAL)  and  the  theorems  appear  in  a 
form  uhich  LCF  can  read  in  the  file  THRMS  on  [TH.MAL.  .  Note  that  a  large 
O  proportion  of  theorem*-  without  assumptions  are  suitable  for  immediate 

inclusion  in  the  S1HP3ET  <  for  example  VX.  X+UU  s  UU  )  although  some  (  such 

as  the  various  commutative  rules)  nil  I  cause  non-termination  of  the 

simplification  process.  There  are  actually  more  theorems  in  this  file  than 
will  fit,  with  LCF.  in  the  30K  of  core  currently  available  to  jobs  in  the 
PDP10  system  at  Stanford,  so  the  user  may  have  to  prune  a  copy  of  THRMS  to 

meet  his  needs.  There  will  shortly  be  available  a  core  image  with  a  large 

selection  of  the  most  important  theorems  already  read  in  (and  moved  to  binary 
program  space  to  reduce  garbage  collection  time). 
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THEOREM  NAMES. 


LCF  requires  a  name  for  every  theorem  (arbitrary  alphanumeric 
identifier)  but  provides  only  one  handle  for  access  to  a  result  -  its  name. 
Experience  immediately  suggests  to  the  user  that  mnemonics  will  be  an 
important  ingredient  in  the  organization  of  the  environment  and  this  is  so  as 
examples  indicate:- 

POS0  -  pos  (0) =FF 

PLUSUX  -  VX.  UU+XsUU 

T1MES0X  -  i  sint  (X)sTT  (■  0*Xs0 

ELTXNS  -  cl(X)iTT  (■  XcNSsFF 


However,  for  the  many  objects  we  have,  mnemonic  tags  help  only  for  a  small 
fraction  of  the  cases.  Most  theorems  are  not  results  which  have  words  already 
associated  with  them  (like  associativity)  and  most  have  a  good  number  of 
tokens  in  the  assumptions  and  conclusion  (combined).  The  author  relied  on  a 
fairly  complex  system  of  mnemonic  notions  but  names  tended  tc  be  long  and 
absolutely  unintelligible  to  anyone  else.  Uhat  can  one  do  about  theorems  such 
as  :  - 


i  sint  (U)  sTT  (-  (U+X)>(U+Y)  =  X>Y 

X©Y=0,  i  sint  (U)  eTT  J-  (X*U)©Yr0 
i  s  I  i  st  (X&Y)  sTT  (•  i  s  I  i  s t  ( Y)  sTT 
i  sset  (X)  sTT,  VU.  UcXhUcY  (-  X=-Y 

to  provide  mnemonic  significance  without  being  so  long  that  typing  errors  are 
encouraged  unduly?  It  is  apparent  that  proof  generation  should  be  written 
with  more  facilities  to  address  theorems  by  their  content  and  to  have 
appropriate  goal-directed  procedures  to  search  for  the  right  theorem  to 
apply. 
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ALGEBRAIC  MANIPULATION. 


Another  situation  nhere  proof  generation  seemed  unreasonably  tedious 
uas  Mhere  an  expression  involving  operators  uhich  had  special  properties  - 
commutativity  and  associativity  in  particular.  A  good  example  of  this  sort 
of  painful  proof  ocurred  in  trying  to  prove  the  theorem 


(X+V)  *  (X-V)  s  (X*X)  -  ( V-.vY) . 


Ignore  the  problem  of  what  happens  when  X  or  V  are  either  undefined  or  simply 
not  integers  and  suppose  isint  (X)sTT.  is  i  nt  ( Y)  sTT  .  The  steps  in  the  proof 
are:  - 

1)  isint  (Xv’iXisTT 

2)  (X*X)+8«X*X 

3)  isint (Y*X)sTT 

4)  (Y*X)-(Y*X)«0 

5)  YX  Y  Z.  (X+Y)-Z«X+(Y-Z) 

G)  VX  Y  Z.  (X+Y ) *Z£  i.v.vZ )  +  i Y-.vZ ) 

7)  VX  Y  Z.  X-IY+Z) s  (X-Y)+Z 

S)  VX  Y  Z.  X+(Y+Z)*C<+Y)+Z 

9)  ( (X+Y ) &X) -  ( (X+Y ) *Y) s  (X*X ) - ( Y>vY)  (BY  2. 4. 5:8) 

10)  VX  Y  Z.  X*(Y-Z)a(X*YMX*Z) 

11)  (X+Y) * (X-Y) s (X*X) - (Y*Y»  (BY  9,10) 


FUTURE  WORK 

This  research  has  given  birth  to  a  lot  of  suggestions  about  possible 
improvements  to  LCF.  Before  this  mathematical  environment  is  expanded, 
therefore,  a  neu,  more-automatic  proof  generator  should  be  developed.  When  a 
neu  one  is  produced,  the  body  of  theorems  should  be  reviewed  and  expanded. 


The  same  sort  of  experiment  is  planned  to  give  the  same  sort  of  a 
rigorous  theory  for  a  programming  language.  A  suitable  language  (such  as 
LISP,  ALGOL)  or  a  subset  of  a  language  will  be  taken  and  the  semantics 
axiomatised  using  LCF.  Then  important  theorems  will  be  formulated  and  proved 
as  time  and  imagination  permit. 
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APPENDIX  1 


Theorems  depending  on  NO  axioms. 

CSSBSSSS  B=B  =  sa  =  =  S  £=  =  SB  B B ■ B ■ X B 


O 


U 


F  [AX  .UU3  =  UU 


F  VP  .  (P-.TT.FF)  =  P 
F  VP  .  {P-.UU.UU)  =  UU 


AcX,  BcX  1- 

VP  . 

(P-A 

P-TT,  UUsTT 

F 

p 

=  TT 

P-TT.FFsTT 

F 

p 

=  TT 

P-.FF,  UUeFF 

F 

p 

=  TT 

P-FF, TT=FF 

F 

p 

=  TT 

P-*UU,  TTsFF 

F 

p 

=  FF 

P-FF, TT=TT 

F 

p 

s  FF 

P-.UU,  FFhFF 

F 

p 

=  FF 

P-TT.FFsFF 

F 

p 

h  FF 

P-»TT,  TTsUU 

F 

p 

3  UU 

P-FF,  FF.=UU 

F 

p 

3  UU 

P-.TT,  FFsUU 

F 

p 

3  UU 

P-FF, TT=UU 

F 

p 

3  UU 

P-FF,FFSTT 

F 

TT 

3  FF 

P-FF.UUhTT 

F 

TT 

s  FF 

P-UU, FFsTT 

F 

TT 

3  FF 

P-TT,TT=FF 

F 

TT 

s  FF 

P-TT. UUeFF 

F 

TT 

e  FF 

P-UU,TT=FF 

F 

TT 

e  FF 

I 


P (UU) sTT 


F  P  3  [Ax  . TT3 


APPENDIX  2  -  Theorems  that  rollon  from  the  propositional  axioms. 


f-  -TT  =  FF 
h  -UU  =  UU 
I-  -FF  e  TT 

b  TTvTT  5  TT 
I-  TTvUU  =  TT 
I-  TTvFF  5  TT 
I-  UUvTT  e  TT 
I-  UUvUU  =  UU 
H  UUvFF  s  UU 
I-  FFvTT  =  TT 
I-  FFvUU  e  UU 
|-  FFvFF  =  FF 

b  VP.  TTvP  e  TT 

b  VP.  FFvP  =  P 

I-  VP.  PvTT  e  TT 

I-  VP.  PvFF  =  P 

I-  VP.  UUvP  c  TT 

I-  VP.  PvUU  c  TT 


I-  TTaTT  e  TT 
I-  TTaUU  e  UU 
I-  TTaFF  e  FF 
b  UUaTT  e  UU 
I-  UUaUU  e  UU 
I-  UUaFF  e  FF 
I-  FFaTT  =  FF 
b  FFaUU  e  FF 
|-  FFaFF  e  FF 


I-  VP.  TTaP  =  P 

I-  VP.  FFaP  E  FF 

I-  VP.  PaTT  =  P 

I-  VP.  PaFF  e  FF 

I-  VP.  UUaP  c  FF 

I-  VP.  PaUU  c  FF 


b  TT=TT  e  TT 
I-  TT=UU  e  UU 
b  TT=FF  =  FF 
I-  UU=TT  e  UU 

b  uu=uu  s  uu 

I-  UU=FF  e  UU 
b  FF=TT  e  FF 
}-  FF=UU  e  UU 
I-  FF=FF  s  TT 
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APPENDIX  2  {continued). 


h  VP.  UU-P  -  Ul) 
I-  VP.  F'-UU  -  UU 

P»Q  s  TT  P  ■  Q 


y 

VP.  - 

m  »  p 

h 

PvQ  e 

QvP 

y 

VP  Q 

R.  (PvQ)vR  s 

Pv(QvR) 

y 

PaQ  ■ 

QaP 

y 

VP  Q 

R.  (PaQ)aR  a 

Pa(QaR) 

y 

P-Q  ■ 

Q-P 

y 

VP  Q 

R.  (P-Q)-R  a 

P= (Q=R) 

PaQb 

ff  y 

P-X. (Q-Y.Z) 

■  Q-Y, (P-X.Z) 

PvQeff  y 

P  =  FF 

PyQsFF  y 

Q  a  FF 

PaQb 

■TT  h 

P  s  TT 

PaQb 

it  y 

Q  s  TT 

o 


G 


G 


{ 
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APPENDIX  3  -  Theorems  that  follow  from  the  equality  axioms  alone. 

SBBBSBBB  *  a  BBBBBMBM  ■  a  K  a  CB3BBB  B B B ■  BBB  BBBBBBBB  BBBBBB  BBC  BBC 


1-  aiuu)  « uu 
1-  vx.  uu-x  s  uu 

I-  VX.  X-UU  ■  uu 

3(X)«UU  H  X  a  uu 

3  (X)  *FF  F  TT  3  FF 

1-  vx  .  a (x)-x,x  s  x 

(X-Y)mTT  (■  a (X)  S  TT 

(X=Y)sFF  h  a (X)  a  TT 

a  ( X )  sTT  1-  X«X  a  TT 

I-  VX  .  X-X  «  SIX) 

(x-v)aTT  f  x  a  y 

3 (X) bTT,  X  «  Y  I-  X-Y  s  TT 

X=YeTT.  Y-ZbTT  1-  X-Z  ■  TT 

3 (X) eTT,  X-YbUU  f  Y  b  uu 

(X=Y)eTV  f  Y-X  B  tv 

F  X-Y  B  Y-X 

(X-Y)sFF.  XcY  F  TT  e  FF 

3iX)sTT,  XcY  F  X  =  Y 


APPENDIX  4 


Theorems  about  Natural  Numbers  (see  section  4). 

e  ECSICKCB  BSOSS  CC  =  - =  —  =  SSSSSMG 


a)  Theorems  which  follow  from  axioms  4.2  to  4.8  alone: 


I-  Z  (0)  a  TT 
[•  i  snat  (0)  b  TT 
y  succ(0)  £  1 
\ ■  pred(l)  e  0 
succ(l)  s  2 
H  Z (1 )  a  FF 
[•  i  snat  (1)  a  TT 
[■  pred  (2)  £  1 
h  Z (2)  a  FF 
[■  i  snat  (2)  a  TT 
h  Z(UU)  «  UU 
[-  i  snat  (UU)  a  UU 


Z (X) eTT 
i snat (X) sTT 
i snat (X) eTT 
i snat  (X) eFF 


h  X  e  0 

[•  Z(succ(X) )  a  FF 
r  isnat(succ(X) )  e  TT 
H  TT  e  FF 


i  snat  (X)  eTT,  Z(X)bFF  h  i  snat  (orecJ(X) )  a  TT 
isnat(X)ETT  h  precHsucc(X) )  «  X 

i  snat  (X)  sTT,  Z  (X)  bFF  y  succ(pred(X) )  bX 


isnat(X)ETT,  isnat(V)«TT,  succ(X) ssucc (Y)  [•  X  ■  Y 


g  (0)  eTT,  VX.  isnat(X)::  g  (X) : :  g  (succ  (X) )  bTT  \- 

VX.  i snat (X) : :  g (X) hTT 


b)  Theorems  that  use  4.1  to  4.8  and  the  equality  axioms. 

isnat(X)sTT  |-  3(X)  e  TT 

Z(X)sFF  1-  3 (X)  ■  TT 

Z(X)eUU  h  X  a  UU 

[•  d  (0)  e  TT 
h  8(1)  a  TT 
H  3(2)  a  TT 
Y  succ(UU)  3  UU 
I*  pred(UU)  a  UU 
(1*3)  b  FF 
}■  (2=0)  s  FF 

}•  (2=1 )  e  FF 
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APPENDIX  5 


Proof  of  an  Induction  Theorem  for  Natural  Numbers. 


I  The  proof  Is  as  supplied  TO  the  proof  checker.  ] 


I  material  in  square 
[  theorem  TH1  is 
theorem  TH2  is 
theorem  TH3  is 
theorem  TH4  is 


brackets  is  commentary. 
Z  (k)  nTT  }■  X.0 
h  ZIQisTT 

i snat (x) aTT.Z(x) eFF 
i snat (x) eTT,Z (x) «FF 


3 


isnat (pred(x) )hTT 
succlpred(x) )sx  ] 


LABEL  LI; 

ASSUHE  g  (0) sTT; 

ASSUNE  VX.  isnat(X)::  g (X) : :  g(succ(X))*TT; 
GOAL  yx.  isnat(X)::  i snat (X) : ;  glXUTT; 

TRY  INDUCT  {step  no.  of  DEF  4.3}  OCC  1,3; 
TRY  1  SINPL; 

LABEL  L2; 


TRY  2  ABSTR;  I  Step  .12  is  VX.  FIX):: 

i  snat (X) : ;  g(X)s7T 

3 

TRY  1  CASES  Z (X) : 

TRY  1  SINPL; 

I  ZIXJeTT 

3 

USE  TH1 , -;  USE  TH2: 

TRY  SINPL  BY  ,.L1; 

TRY  2  SINPL; 

I  ZIXJeUU 

3 

LABEL  L3; 

TRY  3  CASES  Flpred(X)); 

[  ZIXIbFF 

3 

TRY  2  SINPL; 

[  F  (pred  IX) )  -LIU 

3 

TRY  3  SINPL; 

t  F  (pred(X) ) nFF 

3 

TRY  1  CASES  isnat(X); 

I  F  (predIXI ) eTT 

3 

TRY  1  SINPL; 

[  isnatlXleTT 

3 

USE  TH3.-..L3:  l 

isnat (pred (X) )eTT 

3 

APPL  . L2. pred (X) ;  SINPL  -  BY 

[  glpred(X) )bTT 

3 

USE  TH4, - , . L3; 

APPL  .Ll+1 , pred(X) ;  SINPL  -  BY  — , — 

-;  I  g  (X)  =TT 

3 

TRY  SINPL  BY  -; 

TRY  2  SINPL; 

[  isnatlXJsUU 

3 

TRY  3  SINPL; 

[  i  snat (X)sFF 

3 

GOAL  VX.  isnat  IX)::  g (X) sTT ; 

TRY  ABSTR; 

TRY  i  CASES  isnat(X); 

TRY  1  SINPL; 

[  i snat (X) sTT 

3 

APPL  — .X;  SINPL  -; 

TRY  1  SINPL  BY 

TRY  2  SINPL; 

[  i snat (X) tUU 

3 

TRY  3  SINPL; 

I  isnat (X)eFF 

3 

THEOREN  NATHIND: 


I  The  theorem  NATH! NO  is 

g<0)aTT,  Vx.  isnat(x)::  g (x) : :  glsucc (x) ) eTT 
}■  Vx.  isnat  lx);:  g(x)sTT  3 
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APPENDIX  6  -  Theorems  that  follow  from  axioms  5.1  to  5.8 

■  ■SBRlttB  C  S  C  a  BIBtlSIB  SBBB  BSBCBS  U  U  KIRIICIB  m  m  M  m  BKB 

(together  with  axioms  of  sections  3  and  4). 

h  pos (0)  ■  FF 
|-  pos(l)  a  TT 
y  pos  (2)  a  TT 

y  pos(uu)  a  uu 

h  isint(UU)  *  UU 

i  sint  (X)  aUU  (*  X  a  UU 

i sint (X) sTT  y  d(X)  a  TT 

Pos(X)hTT  ^  isint(X)  a  TT 

pos  (X)  sFF  I*  isirt(X)  =  TT 

isnat(X)*TT  |-  i r. i n t ( X )  a  TT 

i sint (mns(X) )sTT  |*  isint(X)  s  TT 

i  s  i  nt  (X)  =TT  }•  isint  (nins(X) )  a  TT 

[■  i  si  nt  (0)  e  TT 

y  i sint (1)  a  TT 

|-  isint (2)  a  TT 

y  mns(0)  e  0 

i  s i nt  (X) eTT  |-  mns(mns(X))  a  X 
y  mns(UU)  «  UU 
isint (X)aFF  y  mns(X)  a  UU 

i sint (X)  =FF  J.  2(X)  a  FF 

pos(X)aFF,  pos(mn8(X) JbFF  ^  X  5  0 

pos(X)sTT  |.  Z(X)  =  FF 

pos(mns(X))eTT  ^  Z(X)  a  FF 

isnat(X)sTT,  pos(X)sFF  ^  X  =  3 

|-  VX.  Z(mns(X))uisint  ( X ) -»Z ( X )  ,UU 

i snat (X) eTT,  ZIXUFF  y  pos(X)  a  TT 

i snat (mns (X) ) sTT  ^  pos(X)  s  FF 

pos (mns (X) ) aTT  ^  pos(X)  a  FF 

pos (mns (X) ) sFF,  Z(X)aFF  ^  pos(X)  a  TT 

pos(X)sTT  y  pos(mnsiX))  s  FF 

pos(X)sFF,  Z(X)aFF  I-  pos  (mns  (X) )  s  TT 

i  sint  (X )  eFF  f-  pos(X)  s  UU 

Z  (mns (X)) aTT  y  X  a  0 
pos(X)«TT  ^  isnat(X)  a  TT 
pos(X)aFF  |-  i  snat  (mns  (X) )  a  TT 


APPENDIX  B  (continued). 


isinttXJsFF  h  succ(X)  a  UU 

i  sint  (X)  sFF  I-  pred(X)  a  UU 

i  s  i  n t  ( X )  s T T  }■  pred(succ(X) )  =  X 

i  sint  (X)sTT  |-  succ(pred(X)  i  s  X 

pos(X)eTT  h  pos(succ(X))  s  TT 

pos  (X)  sFF  |-  pos  (pred  (X) )  a  FF 

i  sint  (X )  sTT  i  sint  (succ  (X) )  b  TT 

i  sint  ( X ) s T T  |-  isint(pred(X))  a  TT 

i  sint  (succ  (X) )  sTT  |-  isint(X)  s  TT 
i sint (pred(X) ) «TT  [■  isint(X)  a  TT 

|-  VX  .  succ  (inns  (X)  >  ■  mns(pred(X) ) 

|*  VX  .  predUmsJX) )  ■  mns  (succ  (X) ) 

pos (X) eUU,  i sint (X) *TT  h  TT  3  FF 

mns(X)sUU,  isint(X)sTT  (■  TT  a  FF 

pred(X)  «UU,  i  sint  (X)  sTT  |-  TT  e  FF 

succ (X) *UU,  i sint (X) -TT  1-  TT  ■  FF 

g(0)sTT.  Vx.  isint(x)::g(x)ag(succ(x))  |-  VX.  isint(X):;  g (X )  a  TT 

g(3)nh(3) ,  VX. i sint  (X) : :3 (g(X) ) sTT.  VX. isint(X)* :3(h(X))aTT, 
VX.  isint(X)::  (g (X) -h (X) ) : ;  g(succ(Xi)  ah(eucc(X))t 
VX.  isint(X)  js  ( (g  (X)  «h(X) ) ;  s  g  (precl  (X) )  Eh(pred(X))  |- 

VX.  isint  (X) : :  g (X)  1  h (X) 


APPENDIX  7  -  Theorems  about  the  operations  of  arithmetic. 


■■■■»£■■  M  ■  ■■■■■■■«  IBKCS  KSS  C  O  ■  8  ■  8  ■  V  ■ 

(  uses  the  axioms  of  sections  3,  4  and  S  ). 


a)  Consider  first  the  arithmetic  of  +  and 


H  VX.  X+UU  «  UU 

H  vx.  uu+x  ■  uu 
1-  vx.  x-uu  ■  uu 
1-  vx.  uu-x  «  uu 


i  s  i  n  t (X ) eFF  ^ 
i  sint  (Y)  bFF  \- 
isint(X)sFF  |- 
isint(Y)sFF  f- 

isint(X)sTT  |- 
isint(X)sTT  |- 

h 

isint(X)sTT  }■ 
i  si  nt (X) sTT  H 
i  sint  (X) aTT  }■ 


VY.  X+Y  =  UU 

VX.  X+Y  a  UU 

VY.  X-Y  a  UU 
VX.  X-Y  a  UU 

X+0  e  X 
X-0  a  X 

VX.  X+l  a  succ(X) 
VX.  X-l  s  pred(X) 
X+mns (X)  a  0 
runs  (X)  +a  e  0 
X-X  e  0 


I-  VX  Y.  succ(X)+pred(Y)  a  X+Y 

|-  VX  Y.  pred(X)+succ(Y)  e  X+Y 

|-  VX  Y.  succ(X)+Y  ■  X+succ(Y) 

f-  VX  Y.  pred(X)+Y  ■  X+prediY) 

|-  VX  Y,  succ  (X+Y)  a  X+succlY) 

VX  Y.  succ(X+Y)  a  succ(X)+Y 

|-  VX  Y.  pred(X+Y)  >  X+pred(Y) 

f-  VX  Y.  pred(X+Y)  ■  pred(X)+Y 


isint(X)aTT,  isint(Y)«TT  (■ 
i  sint  (X+Y)  eTT 
i  sint  (X+Y) «TT 


i sint (X+Y)  s  TT 
i si nt (X)  s  TT 
isint(Y)  «  TT 


h  VX  Y  Z.  (X+Y )  +Z  a  X+  (Y+Z) 


i  s  i  n  t  (X+UI)  hTT  . 
i  s  i  nt  (X)  bTT  j- 

h 

H 

H 

1- 


X+UsY+U  h  X  s  Y 
0+X  S  X 

VX.  0-X  s  mns(X) 

VX.  1+X  s  succ(X) 

VX  .  1-X  s  nins(pred(X) ) 
X+Y  >  Y+X 


}■  VX  Y.  mns(X+Y)  s  mns(X)+r.ins(Y) 
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}■  VX  V.  succ(X)-Y  ■  X-pred(Y) 

|-  VX  Y.  pred(X)-Y  ■  X-succ(Y) 

(•  VX  Y.  succ(X)-$ucc(Y)  a  X-Y 

}■  VX  Y.  pred(X) -pred(Y)  a  X-Y 

(■  VX  Y.  mns(X-Y)  e  Y-X 
1-  VX  Y  Z.  X-(Y-Z)  S  (X-Y)  +Z 

I-  VX  Y  Z.  X-  (Y+Z)  a  (X-Y)  -Z 

}-  VX  Y  Z.  X+(Y-Z)  a  (X+Y) -Z 

1-  VX  Y.  succ  (X-Y)  a  X-pred(Y) 

(■  VX  Y.  succ (X-Y)  ■  succ(X)-Y 

|-  VX  Y,  pred(X-Y)  e  X-succ(Y) 

j.  VX  Y  .  pred(X-Y)  a  pred(X)-Y 


isint(X)aTT,  i 
i sint  (X-Y)iTT 
i sint  (X-Y) eTT 

X-YeB  I-  X  = 


i  nt  (Y)  aTT  I- 

h 

Y 

Y 


sint (X-Y)  a  TT 
sint(X)  ■  TT 
sint(Y)  a  TT 


b)  Non  theorems  from  the  defn.  of  multiplication. 


h 

F 

r  s  i  n  t  (X )  eFF  |- 
isint(Y)aFF  }- 

i  sint  (X)aTT  |- 
isint(X)*TT  h 

isint(X)ETT,  i 
i  Sint  (XivY)aTT 
i sint (X*Y) aTT 


VX.  X*UU  a  Ul 

VX.  UU*X  b  Ul 

VY.  X*Y  a  UU 
VX.  XftY  a  UU 

X*0  e  0 
X*1  a  X 

i  nt  (Y)  *TT  I- 

V 

h 


i  sint  (X'.vY)  h  TT 
i sint (X)  a  TT 
i sint (Y)  a  TT 


I-  VX  Y.  X*Y  a  (X*pred(Y))+X 

j-  VX  Y.  Xasucc(Y)  S  (X*Y)+a 

j-  VX  Y.  X'.vpred(Y)  s  (X*Y)-X 

i sint (X) sTT  (•  0*X  s  B 

1-  VX  Y.  X*Y  =  (pred(X)-.vY)+Y 

j-  VX  Y.  succ(X)*Y  s  (X-.vY)  +Y 

I-  VX  Y.  pred(X)*Y  s  (X*Y)-Y 

I-  X*Y  a  Y-.vX 

i  s  i  nt  (X)  sTT  |-  1*X  a  X 

|-  VX  Y.  mns(X)*Y  a  mns  (X-.'.Y) 

|-  VX  Y.  X-,vmns(Y)  a  mns(X*Y) 

[■  VX  Y.  mns(X)*rnns(Y)  a  X*Y 


u 
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VX  V  2.  X*(Y+Z)  a  (X*Y)  +  (X*2) 

VX  V  Z.  X*(Y-Z)  ■  (X»vY) -  (X-/.-2) 

VX  Y  Z.  (X+Y)*Z  ■  (X*Z)  +  (YivZ) 

VX  Y  Z.  (X-Y)aZ  ■  (XvvZ)-(Y*Z) 

VX  Y  Z.  (X*Y)*Z  ■  X*IY*Z) 

VX  Y.  (X+Y)*(X-Y)  b  (X,vXMY*Y) 


isnat(X)sTT,  isnat(Y)sTT 

pos(X) sTT,  pos (Y) sTT 

pos(X)=FF,  pos(Y)sFF 

pos(X)aTT,  pos(Y)«FF 

pos (X) *FF,  pos(Y)iTT 

isnat(X)«TT.  isnat(Y)aTT 

pos(X)sTT,  pos (Y) eTT 

pos  (X) sTT ,  pos  (Y) sFF 

pos  (inns  (X) )  bTT,  po6  (ntns  (Y) )  «TT 

pos(l-X)aTT,  i snat (X) aTT 


isnat(X+Y)  s  TT 
pos(X+Y)  s  TT 
pos (X+Y)  s  FF 
pos(X-Y)  a  TT 
pos(X-Y)  s  FF 
i snat (X*Y)  s  TT 
pos(X*,vY)  a  TT 
pos(XivY)  s  FF 
pos(XaY)  ■  TT 
X  s  0 


c)  Now  add  the  division  operator. 

I-  VX.  X/UU  2  UU 

f-  VX  .  X/0  a  UU 

1-  VX.  UU/X  3  UU 

i sint (X) sFF  h  VY.  X/Y  =  UU 
i  sint  (Y)  eFF  VX.  X/Y  s  UU 

i  sint  (X)  aTT,  Z(X)bFF  f-  0/X  b  0 
i  sint  (X)  eTT,  Z (X) eFF  X/X  2  1 

Pos(Y-X)bTT,  isnat(X)aTT  X/Y  s  0 

Vy.  ienat(y)::  Coch.  [Xw. Z (w) -*TT, g (pred (u) ) -*h (pred (w) ) , UU3 3  (y) : :  g (y ) «TT 

Vz.  i  snat  (z) : :  g(z)  a  TT 

Pos(X)eTT,  [ah.  tXw.Z(w)-*TT,  f  (pred(w) ) -*h (pred (w) )  ,UU)]  (X)sTT 

VY.  i sna t ( Y) : :  pos(X-Y);:  f (Y)  *  TT 

isnat(X)sTT,  pos(Y)sTT  }■  i enat (X/Y)  e  TT 

i  sint  (X)  sTT,  i  sint  (Y)  eTT,  Z  (Y)  sFF  i  sint  (X/Y)  e  TT 

h  VX  Y.  mns(X)/Y  s  tuns  (X/Y) 

(-  VX  Y.  X/mns(Y)  h  mns (X/Y) 

\-  VX  Y.  mns (X) /mns  (Y)  2  X/Y 

i s i nt (X/Y) »TT  }•  isint(X)  a  TT 
i  si  nt  (X/Y)  sTT  J-  Z  (Y)  a  FF 
i sint (X/Y) bTT  }■  isint(Y)  s  TT 


i snat (X) sTT,  pos(Y)=TT,  i snat  (U) =TT  H 
isint(X)aTT,  i  sint  (Y)sTT,  Z(Y)aFF  [• 


( (X*Y)+U)  /Y  =  X+  (14/Y) 
(X>vY)/Y  a  X 
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d)  The  mod  operator  (®)  i6  remainder  on  division, 

(-  VX.  XcUU  «  UU 

h  VX.  X«>0  E  UU 

1-  VX.  UUoX  R  UU 

i sint (X)aFF  H  VY.  X®Y  ■  UU 

i sint (Y) iFF  1-  VX.  XoY  s  UU 

isint(XUTT,  Z(X)eFF  (•  0®X  s  0 

i  sint  (X)  aTT,  Z  (X) sFF  f-  XeX  r  0 

isnaHXUTT,  posiY-) '«TT  XoY  s  X 

}■  VX  Y.  ntns(X)©Y  s  nine  (XoY) 

|-  VX  Y.  Xomns(Y)  ■  XoY 

|-  VX  Y.  mns(X)«i»n$(Y)  ■  nine  (XoY) 

isint(X)*TT,  i s i nt ( Y) *TT ,  Z(Y)sFF  [•  isint(X®Y)  a  IT 

i s i nt (XoY) «TT  1*  isint(X)  *  TT 

i sint (XoY) «TT  h  Z(Y)  a  FF 

i  sint  (XoY)rTT  b  i  si  nt  (Y)  *  TT 

isint(X)=TT,  isint(Y)aTT,  Z(Y)eFF  (•  (X*Y)©Y  r  0 

isnat(X)eTT,  pos(Y)sTT,  isnat(U)aTT  (•  ((X*Y)+U)oY  ■  UoY 

|-  VX  Y.  XoY  ■  Z (Y) -*UU,  Z  ( X ) -►  ( i s i n t  ( Y ) -»0 , UU ) ,  (pos(X)-*  (pos ( Y ) -* 
(pos(Y-X) -*X,  (X-Y)oY) ,  XownsfY) ) ,  mns(mns(X)©Y)  ) 

I-  VX  Y.  (XsY)oY  =  XoY 

1-  VX  Y.  (X/Y) *Y  =  X-  (XoY) 

isnat(X)sTT,  i  sint  (Y)  kTT,  Z(Y)sFF  (•  isnat(XoY)  e  TT 
i  sint  (X) sTT,  isint(Y)eTT.  Z(Y)=FF  'r  ((X/Y)*Y)+(X*Y)  •  X 
isnat(X)»TT,  isnat(Y)«TT  (•  VU.  (X+Y)®U  r  ((XoU)+(Y®U)  )oU 

(X/U)  -  ( Y/U)  «0,  (X®U)  - (YoU)  s0  (•  X  R  Y 

isint(U)*TT,  i  sint  (Y)  hTT,  Z(Y)eFF,  UoY*(U+X)oY  b  XoY  *  0 
XoYe0,  i s i nt (U) sTT  b  (X-.vU) cY  a  0 

X®Ye0,  i si nt (N) sTT  b  (UaX)oY  »  0 


e)  Relational  operators  (  >  .  >  ). 

[.  VX  .  X^UU  h  U'J 

b  VX  .  UU>X  5  UU 

b  VX  .  X>UU  S  UU 

b  VX  .  UU>X  e  UU 
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isint(X)eFF  F 

VY  , 

,  XiY  «  UU 

i  s i nt  (Y)  «FF  F 

VX  , 

,  XStY  a  UU 

isint(X)aFF  F 

VY  , 

,  X>Y  3  UU 

isirit(Y)aFF  Y 

VX 

,  X>Y  h  UU 

X>Y  a  TT  F 

isint(X)  e  TT 

X>Y  b  TT  F 

isint(Y)  s  TT 

X>Y  a  FF  F 

isint(X)  s  TT 

X>Y  a  FF  Y 

isint(Y)  s  TT 

X>Y  a  TT  F 

X>Y 

a  TT 

XsY  e  FF  h 

X>Y 

a  FF 

X>X  a  TT  F 

TT 

b  FF 

XSX  a  FF  F 

TT 

a  FF 

X>YeTT.  Y>XeTT 

F 

TT  3  FF 

X^YbFF.  Y>XaFF 

1- 

TT  a  FF 

isint(X)  a  TT, 

isint(Y)  s  TT, 

X>Y 

isint(X)  *  TT, 

isint(Y)  3  TT, 

X>  Y 

XsYhTT.  Y>XbTT 

F 

X  a  Y 

Y>X  s  FF 

F 

XiY  e  TT 

YiX  a  FF 

Y 

X>Y  a  TT 

Y>X  a  TT 

F 

XsY  a  FF 

Y>X  b  TT 

F 

X>Y  e  FF 

U>XeTT,  X>YsTT 

F 

U>Y  b  TT 

U>XsTT,  X>YaTT 

F 

U>Y  s  TT 

U>XbTT,  X>YsTT 

F 

U>Y  a  TT 

U>XbTT,  X>YsTT 

F 

Li>Y  3  TT 

isint(X)  s  TT 

F 

X>X  3  TT 

isint(X)  a  TT 

F 

X>X  a  FF 

UU 

uu 


F 

F 


pos(X)  * 
X>0  a  TT 


i  snat (X-Y) 
i snat (X) 


i  snat  (runs  (X) )  sTTF 
X>Y  s  TT 
X*0  a  TT 


0>X 

F 

F 

F 

F 

F 

F 

F 

F 


3  TT 

VX 

VX 

VX 

VX 

VX 

VX 

VX 

VX 


j.  VX  .  pos(X)  a  X>0 
TT  1-  X>0  a  TT 

pos(X)  a  TT 

Y  VX  Y  .  (X-Y) >0  a  X>Y 
a  TT  Y  X>Y  a  TT 
TT  1-  X*0  =  TT 

X>0  a  FF 

I-  i  snat  (X-Y)  a  TT 
I*  i  snat  (X)  =  TT 
j.  VX  .  pos(X)  s  0>mns(X) 
!•  pos(X)  a  FF 
.  X>0  s  0>mns (X) 

.  X>0  *  3>iiins(X) 

Y  .  mns(X)>mns(Y)  e  Y>X 

Y  .  mns(X) >mns (Y)  s  Y>X 

Y  .  X>succ(Y)  ■  X>Y 

Y  .  X>pred(Y)  s  X>Y 

Y  .  pred (X) >Y  a  X>Y 

Y  .  succ (X) >Y  a  X>Y 


TT  a  FF 
TT  a  FF 
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f)  The  relational 

operators  and  arithmetic. 

i s i nt (X)  b  TT 

b 

VY  .  (X+Y) iX  a  Y*0 

isint(V)  b  TT 

b 

VX  .  (X+Y) >Y  a  X>0 

L. 

isint (X)  b  TT 

b 

VY  .  (X+Y)>X  a  Y>0 

isint(Y)  a  TT 

b 

VX  .  (X+Y) >Y  a  X>0 

isint(X)  b  TT 

b 

VY  .  (X-Y)>X  -  0>Y 

isint (X)  i  TT 

b 

VY  .  (X-Y)>X  a  3>Y 

X>0  s  TT 

1- 

VY  .  (X*Y)>X  =  Y>1 

Y>0  s  TT 

b 

VX  .  (X*Y)>Y  a  X>1 

U 

X>0  a  TT 

b 

VY  .  (X*Y)>X  a  Y>1 

Y>0  TT 

b 

VX  .  (X-.vY )  > Y  a  X>1 

X>0sTT,  YslaTT  I- 

Xa (X/Y)  a  TT 

X>0sTT.  Y>1=TT 

b 

X> (X/Y)  a  TT 

Y>0sTT,  X>0aTT  1- 

X> (YgX)  s  TT 

u 

isint (U)  ■  TT 

b 

VX  Y  .  (X+UMY+U) 

a  X>Y 

i sint (U)  a  TT 

b 

VX  Y  .  (U+XMU+Y) 

a  X>Y 

isint (N)  s  TT 

b 

VX  Y  .  (X+U) > (Y+U) 

a  X^Y 

isint (U)  b  TT 

I- 

VX  Y  .  (U+X) > (U+Y) 

1  X>Y 

isint(U)  s  TT 

b 

VX  Y  .  (X-IJ  >  >  ( Y-U) 

a  X>Y 

isint  (1!)  a  TT 

b 

VX  Y  .  (U-X)>(U-Y) 

a  Y>X 

u 

isint (U)  a  TT 

1- 

VX  Y  .  (X-U)  >  (Y-U) 

a  X>Y 

i sint (U)  ■  TT 

b 

VX  Y  .  (U-X)>(U-Y) 

a  Y>X 

U>0  a  TT 

b 

VX  Y  .  (X-.vl-J)  >  ( Y-.vUJ ) 

B  X>Y 

U>0  a  TT 

b 

VX  Y  .  (U-.vX)  >  (U*Y) 

a  X>Y 

U>0  e  TT 

I- 

VX  Y  .  (X-.vLIi  >  ( Yv.-UI) 

a  X>Y 

U>0  a  TT 

b 

VX  Y  .  (U-.vX)>(N*Y) 

a  X>Y 

J  J 

X>YaTT,  U>0eTT  b 

(X/U) > (Y/U)  a  TT 

(X/U) > (Y/U)  £ 

TT. 

U >0  a  TT  b  X>Y  =  T 

U>0  b  TT.  X>0 

b.TT.  Y>X  a  TT  b  (U/X) s (U/Y)  i 

(Ul/X)  >  (UJ/Y)  sTT,  U 

>0=TT,  Y>0aTT  b  Y>X  B  TT 

X>0sTT,  Y>G=TT 

I- 

(X+Y) >3  a  TT 

i 

X>0sTT.  Y>0sTT 

1- 

(X+Y) >3  a  TT 

X>0sTT,  Y>0=TT 

1- 

(X+Y) >0  a  TT 

X>3aTT,  Y>0sTT  1- 

(X+Y } > 0  a  TT 

X>0aTT,  Y>0aTT  I- 

(Xv.-Y i  > 3  a  TT 

X>0sFF,  Y>0eFF 

b 

(X*Y) >3  =  TT 

Y>0  a  TT 

b 

VX  .  (X*Y) >3  a  X>0 

1 

Y>0  a  TT 

b 

VX  .  (X*Y) >3  a  X>0 

0>XsTT,  3>YaTT  |- 

(X*Y) >3  a  TT 

X>0aTT,  Y>0aTT 

(X/Y) >0  a  TT 

Y>0  a  TT 

b 

VX  .  (X/Y) >0  a  X*Y 

X>0aTT,  isint (Y) a 

TT,  Z(Y)bFF  b  (X®Y)^3  a  TT 

(X®Y)>0  b  TT 

b 

X>0  a  TT 
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g)  The  factorial  operator. 


isint (X) 3FF 
XS0  s  FF 


X>0  t  TT  1- 

3(Fac(X))aTT  }■ 
X£0  b  TT  V 
X>0  b  TT  I- 

V>05TT,  X>Y=TT  I- 
V>0sTT,  X>YeTT  I- 
Y>0*TT,  X>Y*TT  y 


Fac(UU)  •  LIU 
Fac(X)  a  UU 
Fac(X)  a  UU 
Fac (0)  a  1 
Fac(l)  a  1 
Fac (2)  a  2 
Fac (X) >0  s  TT 
X>0  a  TT 

FacIX+l)  s  (X+l)*Fac(X) 
Fac  (X)  <&X  a  B 
Fac(X)«Y  =  2 
Fac(X)sFac(Y)  s  0 
Fac(X)>Fac(Y)  a  TT 


h)  The  oddness  and  evenness  predicates. 


isint(X)  ■  FF 
isint (X)  »  FF 


even(X)  s  TT 
even(X)  a  FF 
odd(X)  e  TT 
odd(X)  *  FF 
even(X)  s  UU, 
odd(X)  *  UU  , 
isint(X)  a  TT 
isint(X)  «  TT 


even(X)  s  TT 


|-  even(UU)  a  UU 
y  odd(UU)  s  UU 

j.  even(X)  s  UU 

}■  odd(X)  s  UU 

even  a  [Xx  .  (odd(x)-*FF, TT) ] 
}.  odd  5  [Xx  .  (even(x)-*FF,TT)3 

isint(X)  e  TT 

}■  isint (X)  s  TT 

}•  isint  (X)  a  TT 

}■  isint(X)  a  TT 

i si nt (X)  s  TT  y  TT  a  FF 
isint(X)  a  TT  H  _  TT  s  FF 
^  even(X*2)  =  TT 

j.  even (2*Xi  s  TT 

y  YX  .  even  (inns  (X) )  s  even(X) 
y  VX  .  odd  (inns  (X) )  s  odd(X) 
y  even(X+l)  e  FF 


J.  even(0)  =  TT 

|-  odd  (0 )  s  FF 

}■  even(l)  »  FF 

f-  odd(l)  a  TT 

j.  even(2)  a  TT 

y  odd (2)  3  FF 
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i)  The  'Look'  operation. 

POJUUUU  1-  VF  .  Look (UU.F.P)  a  UU 
P (X) bFF  J-  Look (X,UU,P)  a  UU 

y  VX  F  .  Lock (X.F.UU)  a  UU 
P (X) sTT  1-  VF  .  Look (X,F,P)  n  X 
VX.  P  (X)  cFF  I-  VX  F  .  Look  (X. F; P)  a  UU 
P(X)eFF,  F (X) aX  y  Look(X.F.P)  a  UU 


j)  The  bounded  quantifiers  -  'buq'  and  'beq'. 

I-  VY  P  .  buq  (UU,  Y,  P)  a  UU 

1-  VX  P  .  buq(X.UU.P)  a  UU 

X>Y  a  FF  y  buq(X.Y.UU)  a  UU 

isint(X)  a  FF  I-  VP  .  buq(X.Y.P)  =  UU 

i  si  lit  (Y)  a  FF  1-  VP  .  buq(X.Y.P)  a  UU 

X>Y  a  TT  I-  VP.  buq(X.Y.P)  a  TT 

isint(X)  s  TT  1-  VP  .  buq(X.X.P)  s  P(X) 

buq(X, Y,P)sTT  y  isint(X)  a  TT 

buqtX.Y.PUTT  |-  isint(Y)  2  TT 

buq(X, Y.PJeFF  y  isint(X)  a  TT 

buq(X, Y,P)aFF  isint(X)  s  TT 

y  VY  P  .  beq (UU. Y, P)  a  UU 

I-  VX  P  .  beq(X.UU.P)  a  UU 

X>Y  =  FF  y  beq(X.Y.UU)  a  UU 

isint(X)  a  FF  J-  VP  .  beq(X.Y.P)  a  UU 

isint(Y)  a  FF  1-  VP  .  beq(X.Y.P)  a  UU 

X>Y  =  TT  I-  VP  .  beq (X.  Y, P)  a  FF 

isint(X)  a  TT  j-  VP  .  beq(X.X.P)  a  P(X) 

bec|(X, Y,P)*TT  1-  isint(X)  £  TT 

beq (X,Y, PUTT  |-  isint(Y)  s  TT 

beq  (X.Y, PUFF  (■  isint(X)  £  TT 

beq (X, Y,P) eFF  y  isint(X)  £  TT 


k)  The  pr  idleness  predicate  for  integers. 

I-  Pr  (UU)  £  UU 
isint(X)  e  FF  y  Pr  (X)  £  UU 

j-  Pr  (B)  a  FF 

y  Pr (1 )  =  FF 

(-  Pr  (2)  £  TT 

Pr  (X)  £  TT  1-  i  si nt  (X)  e  TT 

Pr (X)  a  FF  y  isint(X)  £  TT 

j-  VX  .  Pr  (runs  (X) )  £  Pr(X) 
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APPENDIX  8  -  Basic  Theorems  about  S-expr ess  ions. 

saeaaaaa  =  =  ■  o  3  c  s  aasaaaea  sanaa  a  am  =  a  c  a  a  c  =s  ■  a  c 

(  depends  on  the  equality  axioms  plus  B.l  -  G.10  ). 

}•  issexp(UU)  e  UU 
ci tom  (IJIJ)  ■  UU 

I-  nul  I  (UU)  ■  UU 

h  head(UU)  «  UU 

H  tail (UU)  h  UU 

atom(X)  e  TT  }■  head(X)  e  UU 

atom(X)  ■  TT  |-  tail  (X)  =  UU 

issexp(X)  e  UU  h  X  s  UU 

atom(X)  i  UU  \-  X  a  UU 

nul  I  (X)  a  UU  I-  X  s  UU 

}•  issexp(NIL)  s  TT 
}■  d (NIL)  3  TT 

H  nul  I  (NIL)  e  TT 

}•  atom  (NIL)  e  TT 

h  head (NIL)  e  UU 

h  tail (NIL)  s  UU 

issexp(X)  E  TT  y  d(X)  e  TT 

issexp(X)  e  FF  f-  c» (X )  ■  TT 

atom (X)  a  TT  f*  3 (X )  s  TT 

atom(X)  a  FF  }■  3 (X )  b  TT 

nul I (X)  a  TT  y  X  3  NIL 

issexp(X)  =  FF  }■  nul  I  (X)  s  FF 

atom(X)  a  TT  ,  issexp(X)  s  TT  }■  null(X)  s  TT 

atom (X)  s  FF  f-  nul  I  (X)  =  FF 

issexp(X)  s  FF  atom(X)  =  TT 

issexp(X)  e  TT  ,  nu  I  I  (X)  e  FF  [■  atom(X)  a  FF 

atorn(X)  s  FF  [■  issexp(X)  s  TT 

atom(X)  3  TT  ,  null(X)  =  FF  }■  issexp(X)  a  FF 

8 (head(X) )  e  TT  y  atom(X)  =  FF 

dftai I (X))  3  TT  H  atom(X)  3  FF 

y  VX  .  cons(X.UU)  3  UU 
y  VX  .  cons (UU, X )  b  UU 

3 (Y)  a  TT  y  VX  .  heacHcons(X.Y))  =  X 

3 (X)  e  TT  y  VY  .  tail (cons(X.Y))  3  Y 

atom(X)  a  FF  }■  B(head(X))  =  TT 

atom(X)  a  FF  }■  3(tai  I  (X) )  a  TT 
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APPENDIX  8  (continued). 
Cj  - 


head(X)  ■  UU  |-  atom(X)  c  IT 
tail(X)  ■  UU  h  atom(X)  c  TT 

O  8(X5  »  TT  ,  3(Y)  s  TT  (■  issexp(cons(X,Y) )  5  TT 

a  (X)  H  TT  .  a(Y)  S  TT  1-  null  (cons  (X.  Y) )  s  FF 

8(X)  *  TT  ,  j(Y)  *  TT  1-  atom(cons(X,  Y) )  «  FF 

c*(cons(X,Y) )  ■  TT  j-  a (X)  ■  TT 

d(cons(X,Y))  ■  TT  }■  3 ( Y j  ■  TT 

c  I-  V,\  .  8  (head  (X) )  »  3  (tai  I  (X) ) 

head  (X)  ■  X  |-  X  ■  UU 
tai I (X)  .  X  Y  X  ■  UU 

nul  I  (cons (X, Y) )  *  TT  TT  ■  FF 

u 


O 


a 


o 


j 
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APPENDIX  9  -  Basic  Theorems  for  Lists. 

assxsas*  c  a  casaa  cccbubuk  rc—  — =  ar.c 

(  axioms  use.)  ia  ru  tin'  ctiu.il  i  iij  .i-n.ius  niiii  C.l  -C.il  ). 


f-  i  s  I  i M (NIL)  ■  f  T 

y  isi  ist(uu)  =  uu 

i  s  I  i  st  (X)  s  FF  }•  null  (X)  s  FF 

i  ssexp(X)  =  FF  }-  isl  istiXi  s  FF 

isl  i st  (X)  s  TT  9 (XI  =  TT 

islist(X)  s  FF  f-  8 (X)  =  TT 

islist(X)  s  TT  issexp(X)  s  TT 

islist(X)  a  TT  ,  null(X)  s  FF  (•  atom (X)  s  FF 

cHX)  s  TT  }■  VY  .  isl  i st  (cons iX ,  Y) )  =  islist(Y) 

isi ist(x)  i  uu  y  X  a  UU 

i s list  (tai  I  (X) )  e  TT  [■  isiist(X)  e  TT 

isl  i st  (X)  «  TT  ,  nu I  I  (X)  a  FF  (•  isl  i st  (tai  I  (X) )  a  TT 

cj (NIL)  s  TT  . 

YX  Y  .  c'(X)  ::  islistii)  ::  tj(Y)  ::  cj  (cons  (X,  Y) )  =•  TT 

|-  YX  .  isl  i st  (X)  :  s  g  (X )  ■  TT 

VX  .  o tom (X)  ::  (iiX)  e  TT  , 

VX  Y  .  y  (X)  jj  g(Y)  ::  «t (cone- (X,  Y) )  u  TT 
j-  VX  .  8  (X )  ::  g  (X)  a  TT 


f 


$ 


r> 


n 


G 


i 


j 

APPENDIX  10  -  Theorems  about  the  list  operations  of  section  G. 


(  rely  on  the  axioms  of  section  3  (equality)  also  ). 


a)  Concerning  'rev'  and  the  auxiliary  function  'rev2' . 

y  VX  .  rev2  (UU,X)  s  UU 
1-  rev  (UU)  =  UU 
I-  .  VX  .  rev2  ( X , UU )  a  UU 
VX  .  rev2(N!L,X)  s  X 
y  VX  .  rev2 (X.NIL)  a  rev(X) 

[■  rev(NIL)  a  NIL 

i si ist(X)  a  FF  y  VY  .  rev2 (X, Y)  a  UU 

islist(X)  ■  FF  rev(X)  s  UU 

islist(X)  s  TT  ,  3  (Y)  e  TT  [■  8(rev2(X,Y))  s  TT 

islist(X)  s  TT  [■  3 (rev (X) )  a  TT 

3 (rev2 (X, Y) )  s  TT  y  i si ist(X)  a  TT 

a (rev2 (X. Y) )  s  TT  y  3 (Y)  a  TT 

3 (rev (X) )  a  TT  y  isl ict(X)  a  TT 

islist(X)  ■  TT  ,  islist(Y)  ■  TT  h  rev (rev2 IX, Y) )  a  rev2(Y.X) 
islist(X)  a  TT  j-  rev(rev(X))  a  X 

islist(X)  a  TT  [■  VY  .  isl  i  s  t  (rev2  (X,  Y) )  «  ielisttY) 

islist(X)  a  TT  [■  isl  i  st  (rev (X) )  a  TT 

VX  .  rev(cons(X,N!L) )  a  cons(X,N!L) 

(■  VX  Y  .  rev  (cons  (X,  cons  (Y.NIL) ) )  a  cons(Y,cons(X,NIL) ) 
islist(X)  a  TT  nu I  I  (rev(X) )  a  nul  I  (X) 


O 


Ct 


i 


b)  Concerning  the  'S'  (append)  function. 


isl i s  t (X) sFF 

isl i st (X) sTT 

isl i s  t ( X ) e  T  T , 
i s I i st (X) aTT 


i si i st (X)aTT, 
isl i st (X) sTT 
3 (XSY)  s  TT 
3 (XSY)  =  TT 
isl i s t  (X) sTT, 
isl i st (X) sTT, 
XSY  H  NIL 
XSY  a  NIL 


[■  VX  .  UUSX  5  UU 

1-  VX  .  XSUU  S  UU 

y  VY  .  XSY  =  UU 

y  VX  .  NILSX  S  X 

y  XSNIL  a  X 

1-  VX  Y  .  XSY  s  rev2(rev(X)  ,Y) 

3(Y)aTT  I-  3  (XSY)  a  TT 
j.  VY  .  islist(XSY)  a  islist(Y) 

|-  VX  Y  .  cons  (X.NIL) SY  a  cons(X,Y) 

}■  VX  Y  .  rev  (XSY)  a  revlY)Srev(X) 
y  VX  Y  .  rev(XSconstY.NIL))  a  cons(Y,rev(X) ) 
a ( Y) eTT  h  head (XSY)  a  nul I (X) -head (Y), head (X) 
[  tai I (XSY)  a  nul I (X)-tai I (Y) , (tai I (X)SY) 

|-  isl  i  s  t  ( X )  s  TT 

y  3 (Y)  S  TT 

nul  I  (X)aFF.  3 (Y)sTT  |-  nul  I  (XSY)  e  FF 

nu  I  I  ( Y)  eFF  I*  nul  I  (XSY)  s  FF 

y  X  a  NIL 

y  Y  a  NIL 

y  VX  Y  Z  .  (XSY)SZ  B  XS(YSZ) 
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APPENDIX  10  (continued). 


c)  Properties  of  'ANDmap'  ami  '0Ri.ia(/, 

1-  Vp  .  ANDmap (ill.!, |j)  .  UU 
i  s  I  i  s t  (X ) »FF  y  Vp  .  ANDmap  (X.  p)  *  UU 

F  Yp  ,  ORnap (UU. p)  a  UU 

i  s I  i  st  (X)  sFF  F  Vp  .  ORnap (X.p)  =  UU 

p(X)  =  UU  F  VY  .  AMOwap (cons (X,  Y) , p)  e  UU 

P  (X )  e  UU  (■  VY  .  ORmap (cons (X,  Y)  ,p)  s  UU 

\ ■  Vp  .  ANDmap (NIL.p)  a  TT 

F  Vp  .  ORmap(ML.p)  =  FF 
3(X)  s  TT  F  Vp  .  ANDmap (cons (X, NIL) ,p)  s  p(X) 

3(X)  s  TT  F  Vp  .  ORnap  (cons  (X,  NIL) ,  p)  s  p  (X) 

ANDmap  (X,  p)-TT,  TT  =  TT  j-  isiist(X)  s  TT 

ORmap  (X,p)->TT,  TT  s  TT  F  i  =  I  i  s t  (X)  s  TT 

ANDmap  (X,  p)  =  FF  j-  null  (X)  =  FF 

ORmap(X.p)  s  TT  F  nul  I  (X)  e  FF 

ANDmap  (X,  p)  s  TT,  p  (X )  e  TT,  cMX)  a  TT  |*  ANDmap  (cons  (X,  Y) ,  p)  eTT 

p(X)  s  FF,  i s I i st  (cons  (X,  Y) )  *  TT  |>  ANDmap  (cons  (X,  Y) ,  p)  tFF 

ANDmap  (Y.p)  s  FF,  p  (X)-d  (X) ,  cMXi  a  TT  F  ANDmap  (cons  (X,  Y) ,  p)  t-FF 

ORmap  (Y.p)  e  FF,  p(X)  s  FF,  j(X)  =  TT  (•  ORnap  (cons  (X,  Y) ,  p)  sFF 

p(X)  g  TT,  i  s  l  i  st  (cons  tX,  V) )  s  TT  \-  ORmap  (cons  (X,  Y) ,  p)  =TT 

ORmap(Y,p)  e  TT,  p  (X )  -*3  (X ) ,  c*(X)  s  TT  F  ORmap  (cons  (X,  Y) ,  p)  eTT 

VX.  d(X) :  :p(X)-»TT,  TTeTT,  i  s  I  i  s  t  <  Y )  =  T T  (-  ANDmap  (Y,p)-*TT,  TTsTT 

VX.d(X) : : p (X) -TT, TTsTT,  islisuYJsTT  F  ORmap (Y, p) -TT ,  TTsTT 

ANDmap  (Y.p)-TT,  TT  =  TT,  p  (X)-3  (X) .  3  (X)  =  TT 

F  ANDmap  (cons  (X,  Y)  ,p)-TT,  TT  =  T 
ORmap (Y,p)-»TT.TT  a  TT,  p(X)-d(X)  ,d(X)  =  TT 

F  ORmap(cons(X,Y),p)-»TT,TT  s  TT 
ANDmap (X,  p)  s  TT,  null(X)=-F  F  p (neacMX) )  =  TT 

ANDmap (X, p)  =  TT,  null(X)scF  F  ANDmap ( tai  I  (X) , p)  =  TT 

ORmap (X, p)  =  FF,  null(X)=FF  F  p (head (X) )  =  FF 

ORmap  (X,  p)  =  FF,  nulHXUFF  y  ORnap t  tai  I  (X) , p)  e  FF 

ANDmap  (X,p)-*TT, TTsTT,  nul  I  (X)  eFF  F  p (head (X ) ) -*TT , TT  s  TT 

ORmap  (X,p)-*TT,  TTsTT,  nulliX)=FF  j-  p  (head  (X) )  -*TT.  TT  s  TT 

ANDmap  (X,p)=TT,  ANDmap  (Y.p)sTT  F  ANDmap (rev2(X,  Y) ,  p)  =  TT 

ORmap (X.p)sFF,  ORmap (Y.p)sFF  y  uRmap (rev2(X,Y) ,p)  =  FF 

ANDmap (X.p)aTT,  ANDmap (Y. p) -TT  y  ANDmap (XSY.p)  s  TT 

ORmap  (X.p)sFF,  ORmap (Y,  pi  =FF  J-  ORmap  (X&Y,  p)  s  FF 

ANDmap  (X,  p)  s  TT  |-  ANDmap  (rev  (X) ,  p)  s  TT 

ORmap  (X.p)  =  FF  |-  ORnap  (rev  (X)  ,p)  =  FF 

ANDmap  (X<SY,p)  =TT  (■  ANDnao(X.p)  =  TT 

ANDmap  (aSY, p) sTT  (■  ANDmap  ( V,  pj  =  TT 

ORmap  (X(SY.p)sFF  |-  ORmap  (X.p)  e  FF 

ORmap (XSY.p)aFF  y  ORmap (Y.p)  s  FF 


APPENDIX  10  (continued). 


ANDiiiap(rev(X)  ,p)  s.  TT  (-  Aivl h.i.jp (a, p}  ■  T 
ORmap(rev(X)  ,p)  s  FF  }•  ORiiU.p  (X,  p)  n  FF 

ANDwap(X.p)«FF,  i s I i st (Y)eTT.  VX.  d (X) : :  p(X)-TT, TT  b  TT 

H  AND:.iap(X&Y.p)  e  FF 

ANDmap(Y,p)sFF,  isl  ist  (X)bTT.  VX.  3(XI* :  p(XMT,TT  s  TT 

|*  ANDmap  (X&Y, p)  =  FF 

QRrnap (X, p) eTT,  isl  ist(Y)=TT.  VX.  a (X) : :  p(X)-TT,TT  s  TT 

H  ORwspJXSY.p)  e  TT 

ORmap(Y,p)=TT,  isl ist (X)eTT,  VX.  30!)::  p (X)-TT. TT  =  TT 

CRnaoiXfiY.p)  a  TT 

ANDmap(X,p)aFF,  VX.  3 (X> : :  p(X)~TT,TT  «  TT 

AND;.;ap(rev(X)  ,p)  s  FF 
ORmap(X,p)iTT,  VX.  3 (X) : :  p (X) -TT. TT  e  TT 

F  ORwap(rev(X),p)  a  TT 


d)  Theorems  concerning  the  'FNtnap'  function. 


isl ist  (X)=FF 


H 
I- 
h 

a (X)  e  TT  j. 
a  (FNr.iap  (X,  f ) )  «TT 
nul  I  (FNmap (X,  f)  )=FF  |- 
null  (FNmap(X,f))«TT  Y 


Vf  .  FNmap (UU.f)  e  UU 
Vf  .  FNaap(X.f)  e  UU 
Vf  .  FNmap (NlL.f)  s  NIL 
FNmap (constX.MIL) , f)  a 
Y  isl ist (X)  =  TT 
nu I  I (X)  s  FF 
nul I (X)  =  TT 


VX.  3  (X) : ;  3  ( f  (X )  )=TT,  islist(\)sTT  Y 


cons(f (X) .NIL) 


a (FNmap (X, f ) )  e  TT 


F  VX  f.  i  si  i  st  (FNmap (X,  f)  >=3 (FNmap (X,  f ) ) 

Y  VX  Y  f  .  FNmap (XfiY.f)  s  FNmap (X, f)iFNnap(Y,f) 

Y  VX  f  .  FNmap (rev  (X) , f)  =  rev (FNnap (X, f ) ) 


e)  Properties  of  the  'PRUNE'  function. 

1*  Vp  .  PRUNE  (UU.p)  b  UU 
isl  i  st  (X) *FF  |.  Vp  .  PRUNE (X.p)  e  UU 

Y  Vp  .  PRUNE (NIL. pi  b  NIL 
p(X)eTT,  a  (X )  sTT  |.  PRUNE  (cons  ON  NIL),  p)  &  NIL 

P(X)eFF,  3 (X) sTT  Y  PRUNE (cons (X, NIL), p)  s  cons(X.NIL) 

3 (PRUNE (X.p) )=TT  Y  islist(X)  ■  TT 
nul  I  (PRUNE  (X.p) )  =  FF  (■  null  (X)  e  FF 

VX.  3  (X) : :  p(X)-*TT,  TT  s  TT.  islist(X)=TT  1-  3  (PRUNE  (X,  p) )  =TT 

1-  VX  p  .  isl  ist  (PRUNE (X.p))  s  3 (PRUNE (X.p)) 

1-  VX  Y  p  .  PRUNE (XfiY.p)  e  PRUNE (X.p)fiPRUNE(Y.p) 

1-  VX  p  .  PRUNE  (rev  (X) .  p)  =  rev  (PRUNE  (X.p)) 
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APPENDIX  10  (continued). 


f)  The  'mem'  predicate. 

(-  VX  .  nieni(UU.X)  s  UU 

h  VX  .  mem  (X, UU)  s  UU 

i  s  I  i  st  (Y)  eFF  VX  .  mem(X.Y)  s  UU 
i  si  i  st  (Y)aTT,  mem(X,  YlsUU  X  a  UCl 
mem  (X,  Y)  aTT  d(X)  =  TT 

mem  (X,  Y)  =FF  d(X)  =  TT 

r.iem(X,  YJsTT  isl  i  st  ( Y)  =  TT 

mem(X,Y)eFF  J>  islist(Y)  =  TT 
mem (X, Y) aTT  |>  null(Y)  *  FF 

3(X)  s  TT  j-  mem (X, NIL)  =  FF 

a  (X)  sTT,  isl  i  st  (Y)  sTT  \-  mem  (X,  cons (X,  Y) )  s  TT 

mem  (X,cons(Y,NIL)  JsTT  }>  X  =  Y 

(X*head (Y) )  =  FF  (-  mem(X,  tai  I  (Y) )  smem(X.Y) 

VX.  c)  ( X ) : :  mem(X.Y)sFF  J-  Y  a  NIL 
mem(X,Y)sTT,  3(U)sTT  (■  mem (X,  cons (U,  Y) )  a  TT 

isl  i  st  (tail  (X) )  a  TT  j-  men;  (head  (X) ,  X)  a  TT 

riiem(X,Y)aFF.nul  I  (Y)sFF  \-  (X=head(Y))  a  FF 
mem(X,  Y)=FF,nul  I  (Y)sFF  |-  mem  (X,  tai  I  (Y) )  =  FF 

[•  VX  Y  .  mem  (X,  rev (Y) )  =  mem(X,Y) 
meni(X,  Yl)sTT,  isl  i  st  (Y2)sTT  }•  mem (X.  (Y1SY2) )  s  TT 

mem (X, Y2) aTT.  isl  ist(Yl)sTT  j-  mem (X,  (Y1&Y2) )  a  TT 

men  (X,  (Y1&Y2) )  a  FF  }•  men(X.Yl)  a  FF 

mem  (X,  (Y1SY2) )  a  FF  [■  mem (X.  Y2)  a  FF 

mem (X,  Yl)eFF,  mem (X,  Y2) sFF  [■  mem (X.  (Y1SY2) )  a  FF 

j-  mem  e  («G.  [Ax  y  .  (isl  ist  (y)-» 

(nul  I  (y)->(c<(x)-*FF,UU) ,  ( (x«head(y)  )-TT,G(x,  tai  I  (y) ) ) )  ,UU)  ]  ] 


g)  The  'meniL'  predicate. 

h  VX  .  wer.iL  (UU.  X)  a  UU 

1-  VX  .  memL(X.UU)  a  UU 

isl  ist  (X)  =  FF  VY  .  meirL(X.Y)  =  UU 

isl  ist(Y)  a  FF  VX  .  memL(X.Y)  a  UU 

memL (X, Y)  =  TT  h  isl ist  (X)  =  TT 
memL  (X,Y)  =  FF  j-  isl  ist  (X)  a  TT 

memL(X,Y)  =  TT  (-  isl  ist  (Y)  =  TT 

rnemL(X.Y)  a  FF  J-  islist(V)  u:  TT 

isl  ist(X)  =  TT  1-  memL  (NIL. X)  a  TT 

isl  ist  (X)  a  TT  ,  isl  ist  (Y)  s  TT  ,  menKX.Y)  =  UU  (■  TT  s  FF 
(■  VX  Y  .  memL(cons(X,NIL) .  Y)  =  mem(X,Y) 


APPENDIX  10  (continued). 


memL  ( tai  I  (X) ,  V)  ■  TT  (■ 
memL (X, Y) sTT,  null(X)«FF  |- 
meniL  (X,  Y)«TT,  nul I  (X)aFF  [• 
menil.  ( tai  I  (X) ,  Y)  ■  FF  f> 
memL (X, Y) aTT,  mem  (A,X)  aTT  [• 


iiil-mL  (X,  Y)  ■  mem  (head  (X) ,  Y) 
mem (head (X) , Y)  e  TT 
memL (tai I (X) . Y)  ■  TT 
inerr.L  (X,  Y)  s  FF 
mem(A.Y)  3  TT 


(•  memL  s  [aG.  [Xx  y  .  (isl  ist(y)-*lisl  ist(x)-» 

(nu  I  i  (x) -*TT,  (mem (head (x) ,  y )  — G ( tai  I  (x) ,  y)  ,FF) )  ,UU)  ,UU) )  ] 
memL(X,  tai  I  (Y) )  s  TT  }•  mer.KX.Y)  a  TT 

nu  1 1  (Y)  eFF  ,  meniKX,  Y)aFF  (•  inenKX,  tai  I  (Y) )  a  FF 

islist(X)  3  TT  h  memL(X.X)  -  TT 

isl  ist  (X)aTT,  isl  i  st  ( Y)  sTT.  VA.  mem(A,X)s:  niem(A.Y)  5  TT 

(■  memL  (X. Y)  *  TT 

VX.  i&l  ist  (X)j:  memL(X, Y)snul  I  (X)  |>  Y  a  NIL 

memL (X.NIL)  3  TT  (■  null(X)  a  TT 

memL  (U,X)  jTT, memL (X.Y)bTT  h  rneniL (U.  Y)  3  TT 

h  VX  Y  .  memL (rev (X) ,Y)  a  memL(X,Y 
h  VX  Y  .  memL (X, rev (Y) )  a  memL(X.Y 


memL (X. LI) aTT.  isl  ist(L2)aTT  h 
memL(X.L2)aTT,  i si i st  (LI)bTT  (■ 
memL(Xl,Y)sTT,  memL (X2, Y) sTT  |- 


memL(X,Y) 

memL(X,Y) 


memL  (X1&X2, Y)  a  TT  |- 

memL (X1&X2,  Y)  =  TT  |- 

rneniL  (X, Y1&Y2)  »  FF  (■ 

memL  (X,  Y1&Y2)  a  FF  \- 

memL  (XI ,  Y)  eFF,  i  s  I  i  st  (X2)  =  TT  (• 
memL(X2,Y)aF  ,  i si  i  st  (XI) aTT  |- 


r.iemL  (X ,  LldL2)  a 
iiiemL(X,Ll&L2)  a 
memL(XlSX2.Y)  a 
memL (XI, Y)  a  TT 
memL(X2,Y)  s  TT 
memL(X,Yl)  a  FF 
memL(X,Y2)  s  FF 
memL (X1&X2, Y)  a 
memL (X1&X2, Y)  ■ 


h)  'memEQ'  -  Equality  with  respect  to  (list)  membership. 


f-  VX  .  memEQ(Ul 

(•  VX  .  memECHX, 

i s I i st  (X)  a  FF  (■ 
i  s  I  i  st  (Y)  b  FF  (■ 
memEQ  (X,  Y)  a  TT  |- 
memECHX, Y)s  FF  (■ 
memEQ  (X.  Y)  =  TT  (■ 
memEQ (X, Y) 5  FF  \- 


memEQ(UU.X)  3  UU 
memEQ (X.UU)  s  UU 


VY  .  meroEQ(X.Y)  =  UU 
VX  .  memEQ (X.Y)  a  UU 
islist(X)  =  TT 
islist(X)  =  TT 
i sli st (Y)  3  TT 
isl ist (Y)  =  TT 


isl  ist  (X)aTT,  isl  ist(Y)sTT,  memEQ  (X.Y)eUU  |-  TT  b  FF 


memEQ  (X.Y)  a  TT  \- 
memEQ  (X.Y)  5  TT  |- 
memL(X.Y)  =  FF  (■ 
memL(Y.X)  sFF(- 
i  sli  st  (X)  e  TT  (■ 
isl  ist(X)  a  TT  1- 


memL(X.Y)  s  TT 
memL(Y.X)  =  TT 
memEQ (X.Y)  3  FF 
memEQ (X.Y)  =  FF 
memEQ (X.X)  s  TT 
memEQ (X, rev (X))  s  TT 
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APPENDIX  10  (continued). 


H  VX  V  .  menEQ (X.Y)  a  uemEQ(Y.X) 
memEQ (U.X) aTT,  memEQ (X.Y)cTT  }■  memEQ (U,  Y)  b  TT 
memEQ  (Li.  X)  aTT.  memEQ (X, Y)sFF  |-  memEQ(W.Y)  a  FF 

meniEQ(X.Y)  a  TT  (■  memEQ (X4Y.X)  o  TT 

memEQ  (X.Y)  a  TT  y  memEQ  (X&Y.Y)  a  TT 

meniEQ(X.Y)  =  TT  }■  Vz.  niem(z.X)  h  mem(z.Y) 

isl  i  st  (X)  sTT,  Vz.  mem  (z.X)  smem  (z.  Y)  (■  memEQ  (X.Y)  a  TT 


i)  The  'memS'  operation  'deleting  an  element  from  a  list). 

j-  VX  .  memS(UU.X)  a  UU 

VX  .  memS(X.UU)  a  UU 

isl  ist(X)  a  FF  VY  .  memS(X.Y)  a  UU 

cHmemS(X.Y)  )aTT  y  islist(X)  a  TT 
c* (memS (X.Y)  )sTT  y  3(Y)  a  TT 
isl  ist  (X)eTT,  3(Y)aTT  isl  i s t  (r.temS (X.Y) )  a  TT 
a  (X)  a  TT  y  mens (NIL, X)  a  NIL 

f-  VX  Y  .  memS(ccns(Y,X) ,  Y)  a  memS  (X.Y) 
i  sl  i  st  (X)  aTT,  3  (Y)  -TT  y  mem (Y. memS (X, Y) )  a  FF 

isl  ist(X)aTT,  cHY)aTT  (■  men!  (memS (X,Y)  ,X)  s  TT 
mem(Y.X)  a  FF  |-  memS(X.Y)  a  X 

y  VX  Y  .  (mens (X.Y)-K)  a  (mem (Y. X)-FF, TT) 

|-  VX  Y  .  memL (X. memS (X,  Y) )  a  (mem  (Y.X)-FF,  TT) 

y  VX  Y  .  memEQ  (rnemS(X,Y),X)  a  (mem (Y, X) -FF, TT) 


i)  The  'mernSL'  operation. 

y  VX  .  memSL(UU.X)  *  UU 
VX  .  memSL(X.UU)  ■  UU 
isl  ist  (X)  a  FF  |*  VY  .  meinSL(X.Y)  a  UU 

islist(Y)  a  FF  j*  VX  .  memSL(K.Y)  a  UU 

3  (memSL  (X,  Y) )  aTT  j-  islist(X)  a  TT 

3  (mernSL  (X,  Y) )  aTT  |-  islist(Y)  s  TT 

i  si  i  st  (X)  aTT,  isl  i  s  t  ( Y)  «TT  }■  i  si  i  st  (mernSL  (X,  Y) )  a  TT 
isl  ist(X)  a  TT  }-  mernSL  (NIL,  X)  a  NIL 

isl ist (X)  a  TT  y  mernSL (X. NIL)  a  X 

islist(X)  a  TT  VU  Y.  mem (U. mernSL (X, Y) ) s (mem (U, Y)-»FF, mem (U, X) ) 

mem(U,Y)aTT,  islist(X)=TT  y  r.iem(U,memSL(X,Y))  a  FF 

mem(U,X)£FF,  islist(Y)aTT  |-  mem  (U,  mernSL  (X,  Y) )  a  FF 

mem  (U,  X)  hTT,  mem (W, Y) =FF  }■  mem (W, mernSL  (X,  Y) )  a  TT 

mem (W,  mernSL  (X,  Y) )  a  TT  (■  men (U.X)  a  TT 

mem  (U,  mernSL  (X,  Y) )  a  TT  j-  men  (LI,  Y)  a  FF 

isl  ist(X)  a  TT  I-  ineaSL(X.X)  a  NIL 


APPENDIX  10  (continued). 


k)  Properties  of  'subexp' , 


subexp(X,UU)  h  UU 
subexp (UU,X)  a  UU 


a  TT 
a  TT 
(X-Y) 


r  »  »  SUW&AJJ  iwv  I  »  UU 

subexp(X.Y)  s  TT  |*  3(X)  a  TT 

subexp  (X.Y)  a  TT  (■  c) (Y)  s  TT 

subexp(X.Y)  ■  FF  (•  3 (X)  =  TT 

subexp(X,Y)  a  FF  f*  3(Y)  s  TT 

3(X)hTT,  a (Y) sTT,  subexp  (X.YUUU  }•  TT  a  FF 
8 (X)  a  TT  |-  subexp(X.X)  a  TT 

atom(X)  a  FF  }•  subexp  (head  (X) ,  X)  a  TT 

atom (X)  a  FF  f*  subexp ( tai  I  (X) , X)  a  TT 

atom(Y)  a  TT  }•  VX  .  subexp(X,Y)  a  (X*Y) 

a  (X)  a  TT  }•  YY  .  subexp  (X,  cons  (X,  Y) ) 

a (X)  a  TT  (■  VY  .  subexp(Y,cons(X, Y) ) 

subexp(X.head(Y)  )aTT  f-  subexp(X.Y)  a  TT 

subexp (X,  tai  I  (Y) )  aTT  (■  subexp(X.Y)  s  TT 

subexp(N,X)aTT,  9ubexp (X, Y) aTT  }•  subexp(U.Y) 

subexp  (head  (X) ,  Y)  aFF  [■  subexp  (X,Y)  a  FF 

subexp ( tai  I  (X) ,  Y)  aFF  subexp (X.Y)  a  FF 

subexp (X,Y)*FF,  atom (Y) aFF  }•  suoexp(X,he 

subexp  (X.Y)  aFF,  atom(Y)aFF  (•  subexp(X,ta 

subexp(X,Y)aTT,  subexp (Y,X) aTT  j*  X  a  Y 

atom(X)  a  FF  (•  subexp (X, head (X) )  a  FF 

aiom(X)  s  FF  h  subexp (K, tai I (X) )  a  FF 


YY  .  subexp (X, cons (X,  Y) )  ■  3(Y) 
VY  .  subexp (Y, cons  (X,  Y) )  a  3 (Y) 
subexp(X,Y)  a  TT 
subexp(X.Y)  s  TT 


i  n 

suoexp(X,head(Y) )  a  FF 
subexp (X, tai  I  (Y) )  ■  FF 
X  a  Y 


I)  Properties  of  'assoc'. 


i  si  i  st  (Y)  a  FF  f* 
atom(X)  a  TT  (• 
3(as90c(X,  Y)  )sTT  }• 
3(assoc(X,Y)  )aTT  J- 
3  (X)  a  TT  1- 

islist(Y)  ■  TT  }• 


VX  .  assoc (X.UU)  a  UU 

VX  .  assoc (UU.X)  a  UU 

VX  .  assoc (X.Y)  a  UU 

VU  Y  .  assoc (W, cons (X.Y) )  ■  UU 

3(X)  a  TT 

3(Y)  a  TT 

assoc(X.NIL)  a  NIL 

VW  X.assoc(W,cons(cons(U,X) ,  Y)  ) aeons (W,X) 


m)  The  'forL'  function. 

Vf  fNIL  .  forHUU,  f ,  f N I L )  a  UU 

VX.  f(X,UU)BUU.  isl  istiX)fc-FF  J.  VfNIL  .  forL (X,  f,  fNIL)  a  UU 
3 (forL (X,  f,  fNIL)  )*TT(*  3(X)  a  TT 

H  Vf  fNIL.  forL (NIL, f. fNIL)  a  fNIL 
3  (X)  a  TT  1-  Vf  fNIL.  forL(cons(X,  NIL),  f ,  fNIL)  af  (X,  fNIL) 

3 (X) aTT,  3(Y)sTT 

|-  Vf  fNIL.  forL  (cons  (X.  cons  (Y,NIL)) ,  f,  fNILJsf  (X,  f  (Y.  fNIL) ) 
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APPENDIX  11 


Basic  Theorems  for 


F ini te  Sets 

n ■ ■ s ■ ■  »■•*» 


(uses  the  axioms  of 

sections  3,6  and  7,1  to  7,b) 

)■ 

i 

sset (UU)  ■  UU 

i  sset  (X)  bUU  Y 

X 

E  UU 

isset(X)aTT  (■ 

8(X)  a  TT 

i sset  (X) aFF  |- 

3(X)  S  TT 

!■ 

setof (UU)  e  UU 

Y 

1 i stof  (UUi  s  UU 

i  si i St  (X)-FF 

h 

se  tof  (X)  s  UU 

i  sset (X) eFF 

Y 

listof(X)  s  UU 

is  1 i st  (X) =TT 

Y 

i sset (setof (X) )  =  TT 

i sset (X) =TT 

1- 

i si i st ( 1 i stof (X) )  a  TT 

i sset  (X) sTT 

h 

setof ( 1 i stof (X) )  s  X 

d (setof (X) ) sTT 

1- 

i si i st (X)  2  TT 

3  ( 1  i  stof  (X) )  sTTj- 

isset(X)  a  TT 

memEQ(X,Y)sTT 

Y 

setof(X)  s  setof (Y) 

1- 

VX  .  setof ( 1 i stof (setof (X) ) )  a 

Y 

VX  .  listof isetof distof (X))) 

i  s  1  i  st  (X)  aTT 

h 

memEQ (X, 1 i stof (setof (X) ) )  s  TT 

I- 

VX  L  .  mem (X, 1 i stof (setof (L))) 

setof  (X) 

I  i stof (X) 

a  niem(X.L) 
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APPENDIX  12 


Theorems  About  the  Basic  Set  Operations. 


(relies  on  the  axioms  of  sections  3.6,7). 


a)  Theorems  involving  the  nul I  set. 

|-  i  sset  (NS)  *  TT  _ 

y  8  (NS)  =  TT 
y  listof(NS)  h  NIL 
setof  (X)  ■  NS  h  X  fi  NIL 

I i stof  (X)  s  NIL  H  X  s  NS 

isset(X)sTT,  (X-NS)sFF  y  nul  1  ( 1  i stof  (X) )  «  FF 


b)  Properties  of  the  membership  relation. 

y  VX  .  XcUU  S  uu 

I-  VX  .  UUcX  =  uu 

isset(Y).FF  y  VX  .  XcY  e  UU 

i  sset  (Y)  aTT.XcYaUU}-  X  b  UU 

XcYeTT  h  3(X)  E  TT 

XcYeFF  y  3(X)  .  TT 

XcYsTT  y  isset (Y)  e  TT 

XcYeFF  I-  isset  (Y)  s  TT 

3(X)  3  TT  y  XcNS  5  FF 

VX.  8 (X) : :  XcYaFF  y  Y  E  NS 

i sset (Y)«TT,  VX.  XcY2aXcY  y  Y2  a  Y 


1  •  c)  Introducing  the  'subset'  relation. 

(•  VX  .  subset  (X.UU)  a  UU 

y  VX  .  subset (UU, X)  a  UU 

i  sset  (X)  a  FF  j-  VY  .  subset  (X.Y)  a  UU 
isset(Y)  a  FF  (■  VX  .  subset  (X.Y)  s  UU 
subset  (X,  Y)  =TT  |-  isset  (X)  s  TT 
subset  (X,  Y)  eTT  isset(Y)  s  TT 

subset  (X.Y)aFF  }■  isset(X)  s  TT 

subset  (X,  Y)  sFF  (•  issot(Y)  s  TT 

isset(X)sTT,  isset(Y)eTT,  subset  (X.Y)  aUU  j* 
isset(X)iTT  y  subset (NS, X)  s  TT 
subset  (X, NS)  aTT|-  X  e  NS 
subset  (X,  Y)  sTT,  UcXeTT  (■  Uc  Y  s  TT 
subset  (X,  Y)  sTT,  UcYsFF  }■  UcX  s  FF 
isset(X)  b  TT  |-  subset  (X.X)  s  TT 
i  sset  (X) aTT,  i sset (Y) eTT,  VU.  UcXsiUcYsTT  |- 
subset (X, Y) sTT  }■  VU.  UcX  s:  UcY  s  TT 
subset  (X.NS)eTT}.  X  b  NS 
subset (U,X)hTT,  subset (X, Y) sTT  H 


TT  a  FF 

subset (X, Y) =TT 
subset (U.Y)  e  TT 
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APPENDIX  12  (continued). 

O  . . 

d)  The  usual  union  operation  -  'U'  . 

(■  VX  .  XuUU  a  UU 

I-  VX  .  UUUX  =  LIU 

O  isset(X)  i  FF  f-  VY  .  XUY  a  UU 

isset(Y)  a  FF  f-  VX  .  XUY  *  UU 

d(XuY)  a  TT  J-  isset(X)  a  TT 

a  (XUY)  a  TT  h  isset(Y)  -=  TT 

isset(X)  ■  TT,  isset(Y)  =  TT  [•  isset(XUY)  ■  TT 

isset(X)  ■  TT,  isset(Y)  s  TT  ,  XuY  e  UU  (■  TT  a  FF 

UcX  a  TT,  isset(Y)  a  TT  h  Uc  (XUY)  a  TT 

UcY  e  TT,  isset(X)  s  TT  H  Uc  (XuY)  a  TT 

UcX  a  FF.  UcY  b  FF  y  Uc  (XuY)  a  FF 

Uc (XuY)  a  FF  y  UcX  =  FF 

Uc  (XUY)  a  FF  |-  UcY  a  FF 

isset(X)  s  TT,  isset(Y)  e  TT  {■  subset  (X.XuY)  e  TT 

isset(X)  ■  TT,  isset(Y)  s  TT  J*  subset (Y. XuY)  a  TT 

isset(X)  *  TT  y  XuNS  a  X 

isset(X)  a  TT  y  NSuX  s  X 

isset(X)  a  TT  y  XUX  a  X 

subset  (X,  Y)  sTT  [■  XuY  s  Y 

y  XUY  3  YUX 

y  VX  Y  2  .  (XUY) UZ  a  XU(YUZ) 


e)  The  set  subtraction  (  \  )  operation. 

y  vx  .  x\uu  e  uu 
y  vx  .  uu\x  s  uu 

isset(X)  a  FF  y  VY  .  X\Y  a  UU 

isset(Y)  a  FF  y  VX  .  X\Y  a  UU 

a (X\Y)  B  TT  I-  isset(X)  a  TT 

8 (X\Y)  a  TT  y  isset(Y)  a  TT 

isset(X)  a  TT,  isset(Y)  a  TT  y 
i  sset (X)aTT,  ieset(Y)iTT,  X\YeUU  y 
UcX  b  FF,  i sset (Y)  a  TT  (• 

UcY  a  TT,  isset(X)  a  TT  |* 

UcX  a  TT,  UcY  s  FF  (• 

Uc (X\Y)  b  TT  y  UcX  a  TT 

Uc (X\Y)  a  TT  y  UcY  a  FF 

isset(X)  s  TT,  isset(Y)  s  TT  y 
i sset  (X)  a  TT  y  X\X  a  NS 

i  sset (X)  e  TT  y  X\NS  s  X 

i sset (X)  a  TT  y  NS\X  a  NS 


i sset (X\Y)  e  TT 
TT  B  FF 
Uc  (X\Y)  a  FF 
Uc  (X\Y)  a  FF 
Uc  (X\Y)  a  TT 


subset  (X\Y,X)  a  TT 
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f)  Properties  of  usual  intersection  operation  -  'n'  . 


I-  vx  .  xnuu  e  uu 
y  vx  .  uunx  h  uu 


isset(X)  ■  FF  b  VY  .  XnY  ■  UU 

isset(Y)  *  FF  b  VX  .  XflY  =  UU 

ci  (XnY)  a  TT  b  isset(X)  h  TT 

a (XnY)  B  TT  1-  isset(Y)  e  TT 

i sset(X)  a  TT,  isset(Y)  =  TT  Y 
isset(X)aTT,  i sse t (Y) *TT ,  XflYsUU  (• 
UcX  a  FF  ,  i  sset  (Y)  a  TT  b 

UcY  e  FF  ,  isset(X)  a  TT  b 

UcX  s  TT  ,  UcY  a  TT  b 

Uc  (XnY)  a  TT  I-  UcX  s  TT 

Uc  (XflY)  E  TT  Y  UcY  =  TT 

i sse t (X)  a  TT,  isset(Y)  s  TT  b 

i sse t  (X)  a  TT,  isset(Y)  s  TT  h 

isset(X)  a  TT  b  XflNS  a  NS 

i sset (X )  e  TT  b  NSnX  s  NS 

i  sset  (X)  a  TT  b  *  X 

b  XnY  *  YnX 


b  vx  Y  Z  .  (XnY)nZ 


i sset (XnY)  a  TT 
TT  e  FF 
Ue (XnY)  a  FF 
Uc  (XnY)  a  FF 
Uc  (XnY)  a  TT 


subset (XnY, X)  a  TT 
subset (XnY, Y)  a  TT 


«  Xn(YnZ) 


g)  The  'select'  function. 


b 

i sset (X)  s  FF  b 
a (se 1 ect  (X) ) aTTb 
d (se I ect  (X) ) aTTb 
isset(X)  ■  TT, 
i sset (X)  ■  TT, 


select(UU)  a  UU 
select  (NS)  =  UU 
select(X)  =  UU 
isset(X)  s  TT 
(X-NS)  a  FF 

(X=NS)  B  FF  b  a (se I ect  (X) ) 
(X-NS)  a  FF  b  select (X) cX  i 


b  TT 
TT 


h)  The  Vmgtn'  function. 


h 

a (X)  a  TT  b 

a ( s i ng  tn  (X) )sTTb 
a (X)  e  TT  b 

Xcsingtn(Y)aTT  b 
a (X)  E  TT  b 

a (X)  B  TT  b 


singtn(UU)  =  UU 
i sset (singtn(X) )  a  TT 

a  (X)  3  TT 

Xcsingtn(X)  s  TT 
X  a  Y 

(singtn(X)=NS)  a  FF 
select (singtn (X) )  e  X 
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